Search code, repositories, users, issues, pull requests...

fix: Disable OSS Index if its credentials are missing (#7963)
fix: Correct CVSSv4 parsing for low precision OSSIndex values (#7935)
fix(fp): Fix false positives for Redis Server against NPM/JS client libs (#7942)
docs: Fix legacy GitHub links within docs and CHANGELOG (#7944)
chore: fix version typo in security policy (#7936)

See the full listing of changes

`v12.1.5`

fix: Update to support OSS Index Authentication Requirements (#7920)
- Note: OSS Index will require authentication starting 9/22/2025. Users must configure a free account to continue using the OSS Index Analyzer. See https://ossindex.sonatype.org/doc/auth-required.
fix: add CVSSv4 to suppressed entries in JSON report (#7900)
fix: correctly utilize CVSSv4 from ossindex (#7899)
fix: npe when processing cve with empty configuration (#7888)
fix: Return unsorted vulnerabilities in new HashSet, avoiding CoMod (#7848)
fix: Return unsorted vulnerabilities in new HashSet, avoiding CoMod
fix: class loading problem with fat jars (#7786) (#7787)
fix: Improve Artifactory handler log message (#7838)
fix: classloading problem with fat jars (#7786)
fix: Add null checking when parsing the license json in AbstractNpmAnalyzer. (#7784)
fix(fp): resolves several false positives related to CVE-2021-41033 (#7736)
docs: Clarify format of exclude patterns (#7879)
docs: Document poetry-based analysis behaviour in Python analyzer (#7855)
docs: request FP reporters use the latest version of ODC. (#7820)
docs: update development pre-reqs (#7792)
docs: fix minor typos in false positive issue template (#7763)

See the full listing of changes

`v12.1.4`

`v12.1.3`

fix: correct regex matches introduced in 12.1.2 (#7726)
build(deps): bump org.semver4j:semver4j from 5.7.0 to 5.7.1 (#7718)
build(deps): bump junit.version from 5.13.0 to 5.13.1 (#7719)

See the full listing of changes

`v12.1.2`

fix: Allow configuring OSS Index user/pw directly (#7640)
fix: remove vulnerable transitive dependency - beanutils (#7705)
fix: Simplify PHP framework suppression for Composer (#7693)
fix: update CPE pattern to remove FP (#7684)
fix(cli): Patch generated Windows shell script for JAVACMD installs with spaces (#7653)
fix: Resolve various WCAG accessibility / css issues in the HTML report (#7629)
fix: #7510 Display a dedicated message when receiving an HTTP 403 (#7575)
docs: Make Vulnerability Sources in Related Work clearer (#7691)
docs: #7610 add a reference to NVD mirroring in getting started documentation (#7611)

See the full listing of changes

`v12.1.1`

fix: resolve NVD data Parse error com.fasterxml.jackson.core.JsonParseException: Unexpected character (']' (code 93))
- bump open-vulnerability-client from 7.3.1 to 7.3.2 (#7577)
fix: update links for repository move from jeremylong to the dependency-check organization (#7373)
fix: resolve NPE when processing CVE-2025-2682 (#7558)
fix: prevent rogue base suppression files (#7544)
fix: #6819 handle invalid toml file (#7548)
fix: Use unscored severity only in absence of any CVSS baseScore (#7530)
fix: protect against exotic version number of yarn (#7525)
fix: Ignore require-bundle MANIFEST.MF entry for evidence (#7523)
fix: avoid error on yarn berry audit when no vulnerability found (#7501)
fix: improve null checks in Downloader (#7493)
fix: improve null checks resolves dependency-check/dependency-check-gradle#441
fix: Avoid FPs when Composer product name has php (#7486)
fix: cli not honoring window paths correctly (#7470)
fix: Also apply muteNoisyLoggers to UpdateMojo (#7469)
fix: Make HC5 Downloader honor the connection- and readTimeout settings that the old URLConnectionFactory based downloads observed (#7437)
docs: sync the supported Maven version with the one stated in the system requirement section (#7570)
docs: update proxy config documentation (#7550)
docs: Remove copyright as requested by the Apache foundation
docs: drop redundant text in the Internet Access Required section (#7521)
docs: correct gradle documentation (#7511)

See the full listing of changes

`v12.1.0`

build(deps): bump open-vulnerability-client to 7.2.2 (#7407)
- resolves issue with downloading data from the NVD (#7406)
fix: Improve thread safety issue #7338 alternative (#7367)
feat: Implement Yarn Berry Analyser (#7319)

See the full listing of changes

`v12.0.2`

fix: correct JSON report error (#7350)
fix: some compatability issues in the gitlab report (#7349)
fix: ArtifactoryAnalyzer updated to use the HTTPClient5-based Downloader and skip unusable results (#7293)
chore: allow messages via EngineVersionCheck (#7353)
chore: switch from javax.json to jakarta.json (#7326)

See the full listing of changes.

`v12.0.1`

docs: Fix OSS Index Maven config documentation (#7322)
Fix OSS Index Maven config documentation
chore(docs): Document Gradle plugin support for failBuildOnUnusedSuppressionRule (#7307)
chore(docs): Correct analyzers config example to use Gradle dot-syntax (#7305)
fix: improve error message on improperly configured serverId credentials in settings.xml (#7313)
fix: Lower Basic serverId when Bearer was expected to a warning
fix: improve error message on improperly configured serverId credentials
fix: Correct nonProxyHosts support when no sys properties set (#7306)
core(docs): Group failBuildOnUnusedSuppressionRule flag next to suppression file configuration
core(docs): Update Gradle plugin documentation for failBuildOnUnusedSuppressionRule support
fix: Correct nonProxyHosts support when no sys properties set
chore(docs): Correct analyzers config example to use Gradle dot-syntax

See the full listing of changes.

`v12.0.0`

BREAKING CHANGE: report on CVSS v4 (#7204)
- the schema has been updated to include CVSS v4 for JSON and XML reports
feat: show from which dependency the CVE comes in failure report (#7224)
feat: Use Maven settings decryption API for decrypting secrets from settings.xml (#7284)
feat: Extend authentication to support Bearer token for many resources (#7277)
feat: Add a flag to fail when one or more suppression rules are not used (#7244)
fix: add product evidence as vendor to reduce FN (#7295)
fix: Make the HTTP-Client use pre-emptive authentication (#7255)
fix: Add the missing proxy credentials for suppressionFileUser/Password authentication scenario
fix: increase max retry count (#7252)
fix: Make the HTTP-Client use pre-emptive authentication for configured server credentials and extend HTTPClient usage to Nexus search
fix: Tranform into UTC the last modified date from database (#7222)

See the full listing of changes.

`v11.1.1`

fix: re-enable issue locking (#7220)
fix: add username/password properties to be able to authenticate for central.content.url and analyzer.central.url again (#7169)
fix: rework replaceOrAddVulnerability (#7177)
fix: do not log loading of JDBC driver (#7155)
fix: expose flag to disable version check (#7147)
fix: Gracefully handle CVEs with bad configuration nodes missing CPE match expressions (#7125)
chore: cleanup base suppression (#7138)
docs: update gradle configuration documentation (#7176)
docs: update documentation for Gradle plugin (#7143)
docs: improve false positive issue templat (#7130)

See the full listing of changes.

`v11.1.0`

feat: PHP Composer Analyzer now scans packages-dev by default (#7114)
- Users can configure if packages-dev should be skipped
fix(regression): re-add h2 database driver name (#7115)
fix(regression): Make the Downloader honour the proxy.nonproxyhosts ODC Setting (#7077)
fix: do not set legacy proxy from maven or env (#7072) (#7074)
docs: add missing documentation for the MS Build Analyzer (#7113)
docs: Document the breaking change for Maven plugin as reporting plugin (#7079)

See the full listing of changes.

`v11.0.0`

breaking change: Switch from JMockit to Mockito & build target to Java 11 (#6922)
- dependency-check now requires a minimum of Java 11.0 to run
breaking change: bump com.h2database:h2 from 2.1.214 to 2.3.232 (#6132)
- H2 databases generated with an older version of ODC will not work with ODC 11.0.0; a new H2 db must be generated
breaking change: Maven plugin updated to Doxia 2.x reporting stack
- Users of the Maven plugin that configure it as a reporting plugin will need to use maven-site-plugin 3.20.0 or later (#6959)
feat: Replace old Downloader by an Apache HTTPClient based downloader
feat: Use Apache HTTPClient for downloads of public resources (#6949)
feat: Also make NodeAuditSearch usr our HTTPClient based connections
feat: Also make OSSIndexAnalyzer use our HTTPClient based connections
feat: Migrate CentralSearch to use Apache HTTP-client via Downloader
feat: Extend apache HTTP-client usage to EngineVersionCheck
feat: Remove the need to specify dbDriver for external databases using JDBCv4 ServiceLoader supporting JDBC drivers (#6938)
fix: use latest generated suppressions (#7064)
fix: Fixup parameter sequence for Dowloader credentials (#7033)
fix: Fixup the missing addition of NVD API Datafeed credentials (if configured)
fix: Fixup broken proxy authentication in first attempt; extend to include KEV downloads
fix: store timestamps locally for local resources (#6936)
build: Remove the animal-sniffer, propagate java version to plugin-archetype (#6950)
build: Update Checkstyle configuration and Suppression DTD references (#6951)
chore: Update test db schema (#7036)
chore: remove old, unneeded database upgrade script
docs: reformat javadoc (#7009)
docs: Fixup javadoc warnings (#6995)
chore: Replace use of several deprecated methods/classes by their successors (#6933)

See the full listing of changes.

`v10.0.4`

build(deps): exclude unused dependency (#6916)
fix: improve regex (#6917)
fix: correctly handle null values in cpeMatch (#6915)
fix(site): Update Fluido skin to resolve broken fork-me-on-github image (#6914)
fix: do not report over 100% download complete (#6899)
fix: Correct spelling of occurring in NvdApiDataSource.java (#6883)
fix: skip blank lines in requirements.txt (#6867)
fix: correct percentage calculation (#6868)
docs: remove old recommendation (#6860)

See the full listing of changes.

`v10.0.3`

feat: Enable configuration of a lower resultsPerPage on NVD API (#6843)
build(deps): bump open-vulnerability-clients from 6.1.6 to 6.1.7 (#6848)
build(deps): bump JamesIves/github-pages-deploy-action from 4.6.1 to 4.6.3 (#6814)
build(deps): bump org.codehaus.mojo:versions-maven-plugin from 2.16.2 to 2.17.0 (#6762)
build(deps): bump org.apache.maven.plugins:maven-checkstyle-plugin from 3.3.1 to 3.4.0 (#6815)
build(deps): bump golang from 1.22.4-alpine to 1.22.5-alpine (#6805)

See the full listing of changes.

`v10.0.2`

Mandatory Upgrade - due to older versions of dependency-check causing numerous, spurious requests that end in processing failures, this upgrade is mandatory so that the NVD can differentiate valid requests and block the old clients.

build(deps): bump open-vulnerability-clients (#6810)
fix(db): #6788 removing redundant db index "idxVulnerability" on "vulnerability.cve" (#6807)
docs: Further improve formatting and docs of H2 database caching strats (#6804)
fix: update_vulnerability in dbStatements_oracle.properties (#6803)
fix: fix NPE (#6778)
fix: add hint to resolve false negative (#6802)
chore: update configure (#6794)

See the full listing of changes.

`v10.0.1`

build(deps): bump open-vulnerability-client (#6772)
fix: remove debug logging (#6770)
fix: postgresql column count error (#6773)
fix: mssql column name and version (#6761)
docs: update supported versions (#6771)

See the full listing of changes.

`v10.0.0`

breaking change: upgrade to dotnet 8.0 (#6580)
- Users of the AssemblyAnalyzer must upgrade/utilize dotnet 8 to analyze assemblies
feat: fix the NVD API related errors by adding cvssV4 support (#6756)
- breaking changes: anyone utilizing a centralized database will need to upgrade the schema; see changes in PR #6756
fix: avoid escaping unnecessary chars in HTML report suppression regexes (#6749)
fix: #6688 Trim version number when parsing POM (#6705)
fix: change request if lockfile is file v3 (#6690)
fix: skip pyproject.toml unless it contains tool.poetry before ensuring lockfiles (#6681)

See the full listing of changes.

`v9.2.0`

docs: update logo per intellj (#6660)
feat: Carthage analyzer (#6614)
fix: Ensure valid JSON output for gitlab report (#6630)
feat: Support Package.swift version 3 Specification (#6578)
chore: Update the packaged suppressions to include new hosted suppressions (#6567)

See the full listing of changes.

`v9.1.0`

feat: Add v2 support for maven_install.json (#6528)
build(deps): bump open-vulnerability-client (#6554)
- resolves update issues due to CVSS Metrics 4.0
build(deps): bump jackson.version from 2.16.0 to 2.16.1 (#6353)
build(deps): bump org.jsoup:jsoup from 1.16.2 to 1.17.2 (#6362)
build(deps): bump golang from 1.21.5-alpine to 1.22.1-alpine (#6506)

See the full listing of changes.

`v9.0.10`

fix: #4321 Suppress redis server CVEs for client libraries (#4321) (#6489)
fix: bump commons-compress from 1.25.0 to 1.26.0 to fix CVE-2024-25710 and CVE-2024-26308 (#6492)
feat: Allow to pass NVD API key via environment variable (#6454)
fix: issue 5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies - adding synchronized block (#6501)
docs: document the default data directory (#6484)
fix: prevent NPE in bundler audit (#6462)
fix: #6441 Improve suppression rule to not restrict to a single version (#6442)

See the full listing of changes.

`v9.0.9`

fix: for #6374 to delete non-empty directories (#6375)
fix: NoSuchMethodError closeQuietly(java.io.Closeable[]) (#6377)
chore: close stream to prevent possible resource leak (#6382)
docs: Document default for CLI --data (#6359)
docs: document gradle build (#6371)

See the full listing of changes.

`v9.0.8`

fix: favor stability over performance (#6349)
chore: replace commons-io with core java calls (#6343)
fix: improve error reporting for invalid H2 database (#6339)
fix: rework fix for closing input streams on errors correctly (#6338)
fix: reduce chance NVD API block updates due to rate limit (#6333)
fix: ensure open handles will not leak on errors (#6326)
fix: improve error reporting (#6324)

See the full listing of changes.

`v9.0.7`

docs: document insecure configuration for GHSA-qqhq-8r2c-c3f5 (#6315)
fix: improve memory usage on NVD update (#6321)
fix: skip pyproject.toml unless it contains tool.poetry (#6316)
fix: resolve build error that may cause an issue on some JDK versions (#6312)

See the full listing of changes.

`v9.0.6`

build: bump open-vulnerability-clients@5.1.1 (#6308)
fix: mask nvd.api.key in logs; see GHSA-qqhq-8r2c-c3f5 (#6307)
fix: update java version check (#6297)
fix: more efficient memory usage (#6299)
fix: stream NVD data via Jackson to reduce memory footprint (#6275)
docs: document github action caching (#6301)

See the full listing of changes.

`v9.0.5`

fix: make NVD API endpoint configurable (#6287)
fix: synch last modified timestamp for NVD API (#6281)
fix: read NVD cache meta files if cache.properties does not exist (#6282)
fix: correct property for nonProxyHosts (#6285)
fix: reduce apache http logging (#6280)
fix: store last modified timestamp for RetireJS and the Hosted Suppression File in db (#6271)
build: bump golang in the docker image (#6274)
fix: use temporary files to reduce memory usage during the NVD Update (#6270)
fix: use BIT for Oracle DB instead of Boolean when calling prepared statements (#6264)
fix: showing all reference tags in reports (#6259)

See the full listing of changes.

`v9.0.4`

fix: utilize maven proxy if present (#6255)
fix: allow api key in cli to be quoted (#6253)
fix: use correct maven plugin reporting plugin (#6244)
fix: correct trailing comma in JSON report (#6245)

See the full listing of changes.

`v9.0.3`

fix: use Java properties for proxy configuration (#6238)
docs: update proxy configuration documentation (#6237)
docs: add documentation on caching (#6204)
docs: Clarify H2 database caching strategy (#6220)
docs: Update list of supported report formats (#6224)
docs: example 5 with new nvdDatafeedUrl parameter (#6215)
fix: prevent NPEs (#6232 and #6206)
fix: check valid for hours for NVD API (#6225)
fix: correct NVD cache last checked logic (#6218)
fix: nvd datafeed should process current year (#6213)
fix: correct references to cvssv2 and cvssv3 fields in json and xml reports (#6212)
fix: correct name on reference links in report (#6205)
fix: flaws int the gitlab report (#6193)

See the full listing of changes.

`v9.0.2`

fix: remove virtual match string on NVD API Request (#6177)
fix: correct meta data in report after switching the NVD API (#6154)
fix: retry HTTP connections to NVD on 502 and 504 errors (#6151)
fix: Gitlab report format needs severity capitalized (#6182)
fix: improve JDK update version parsing (#6163)
fix: mute JCS logging (again) (#6153)

See the full listing of changes.

`v9.0.1`

fix: #4321 Suppress redis server CVEs for client libraries (#4321) (#6489)
fix: bump commons-compress from 1.25.0 to 1.26.0 to fix CVE-2024-25710 and CVE-2024-26308 (#6492)
feat: Allow to pass NVD API key via environment variable (#6454)
fix: issue 5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies - adding synchronized block (#6501)
docs: document the default data directory (#6484)
fix: prevent NPE in bundler audit (#6462)
fix: #6441 Improve suppression rule to not restrict to a single version (#6442)

See the full listing of changes.

`v9.0.0`

breaking changes: See the upgrade notice

feat: Utilize NVD API (#5978)
feat: gitlab dependency scanner report format #5919 (#5920)
fix: Use ASCII apostrophe for console message (#6076)

See the full listing of changes.

`v8.4.3`

fix: bump jcs3 (#6047)
docs: Corrected docs on hostedSuppressions (#6035)

See the full listing of changes.

`v8.4.2`

fix: correct log configuration in cli (#6002)

See the full listing of changes.

`v8.4.1`

Fixed

fix: upgrade to JCS3 (#5114)
fix: Support ~= version specifier in requirements.txt and pipfile (#5902)
fix: Version of dependency no longer ignored when CPE product has a 'java' suffix in a product name (#5901)
fix: Do not filter out evidences added by hints (#5900)
fix: fixes FP #5925 (#5927)

See the full listing of changes.

`v8.4.0`

Added

feat: Add support for Nexus v3 to NexusAnalyzer (#5849)

Fixed

fix: Hint Analyzer should run before VersionFilter Analyzer (#5818)
chore: switch to sha1-pinning as suggested by Semgrep
fix: OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter (#5845)
fix: use curl with -L to follow github redirect (#5808)
fix: use curl with -L to follow github redirect
fix: #5671 out of memory error (#5789)
fix: #5671 Exit method as soon as we detect a loop to prevent an infinite loop leading to an OutOfMemoryError

See the full listing of changes.

`v8.3.1`

Re-release of 8.3.0 as 8.3.1.

`v8.3.0`

Added

Add LibmanAnalyzer (#5652)
Update HTML report Dependencies header based on display settings (#5619)
Add link to suppressed vulnerabilities header in HTML report (#5620)
Enable local proxy configuration in maven plugin configuration (#5696)

Fixed

Fix npm alias present in requires of dependencies (#5703)
Make Central URL configurable via CLI (#5667)
Ensure support of CVSSv3.1 (#5602)

See the full listing of changes.

`v8.2.1`

Fixed

NullPointerException in MSBuildAnalyzer (#5589)
SQL Syntax for Oracle (#5590)
Use https:// URLs in report templates (#5582)

See the full listing of changes.

`v8.2.0`

Added

Support msbuild Directory.build.props (#5475)
better display of NPM audit references
Add CVSS V3 results from NPM Audit results

Fixed

Fix several issues on NPM Audit reporting (#5546)
Case issue in SQL (#5557)
Fix CWE(s) extraction for NPM Audit advisories
Use the stable github_advisory_id instead of the now unstable id in NPM audit results

See the full listing of changes.

`v8.1.2`

Fixed

Fix NullPointerException in the Jar Analyzer introduced in 8.1.1 (#5512)

See the full listing of changes.

`v8.1.1`

Fixed

allow hosted suppressions file to be disabled (#5509)
Several FPs not suitable for our automation (#5504)
Fix incorrect defaults for nexus and central-analyzer in gradle plugin documentation (#5503)
Erroneous error-log for deprecated CLI flag usage when using properyfile based disablement of Node Audit Analyzer (#5487)
Prefer pom.properties G/A/V over pom.xml G/A/V to resolve GAV interpolation issues (#5473)
Node package dependencies ending up as related dependency of the wrong version of the package (#5479)
do not throw error if pyproject.toml is in node_modules (#5470)

See the full listing of changes.

`v8.1.0`

Added

Pipefile.lock files are now supported ([#5404](https://redirect.gi

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) in timezone Europe/Oslo, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

sonarqubecloud · 2024-03-31T12:48:05Z

Quality Gate passed

See analysis details on SonarCloud

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

sonarqubecloud · 2024-05-15T17:18:47Z

Quality Gate passed

See analysis details on SonarCloud

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

sonarqubecloud · 2024-09-01T12:38:53Z

Quality Gate passed

See analysis details on SonarCloud

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

sonarqubecloud · 2024-12-04T12:15:58Z

Quality Gate passed

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

sonarqubecloud · 2025-02-16T17:02:33Z

Quality Gate passed

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

sonarqubecloud · 2025-04-05T19:26:12Z

Quality Gate passed

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

sonarqubecloud · 2025-06-10T17:54:37Z

Quality Gate passed

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

sonarqubecloud · 2025-10-03T10:02:22Z

Quality Gate passed

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code