v12.1.6

Compare Source

• fix: Disable OSS Index if its credentials are missing (#​7963)
• fix: Correct CVSSv4 parsing for low precision OSSIndex values (#​7935)
• fix(fp): Fix false positives for Redis Server against NPM/JS client libs (#​7942)
• docs: Fix legacy GitHub links within docs and CHANGELOG (#​7944)
• chore: fix version typo in security policy (#​7936)

See the full listing of changes

v12.1.5

Compare Source

• fix: Update to support OSS Index Authentication Requirements (#​7920)
  • Note: OSS Index will require authentication starting 9/22/2025. Users must configure a free account to continue using the OSS Index Analyzer. See https://ossindex.sonatype.org/doc/auth-required.
• fix: add CVSSv4 to suppressed entries in JSON report (#​7900)
• fix: correctly utilize CVSSv4 from ossindex (#​7899)
• fix: npe when processing cve with empty configuration (#​7888)
• fix: Return unsorted vulnerabilities in new HashSet, avoiding CoMod (#​7848)
• fix: Return unsorted vulnerabilities in new HashSet, avoiding CoMod
• fix: class loading problem with fat jars (#​7786) (#​7787)
• fix: Improve Artifactory handler log message (#​7838)
• fix: classloading problem with fat jars (#​7786)
• fix: Add null checking when parsing the license json in AbstractNpmAnalyzer. (#​7784)
• fix(fp): resolves several false positives related to CVE-2021-41033 (#​7736)
• docs: Clarify format of exclude patterns (#​7879)
• docs: Document poetry-based analysis behaviour in Python analyzer (#​7855)
• docs: request FP reporters use the latest version of ODC. (#​7820)
• docs: update development pre-reqs (#​7792)
• docs: fix minor typos in false positive issue template (#​7763)

See the full listing of changes

v12.1.4

Compare Source

v12.1.3

Compare Source

• fix: correct regex matches introduced in 12.1.2 (#​7726)
• build(deps): bump org.semver4j:semver4j from 5.7.0 to 5.7.1 (#​7718)
• build(deps): bump junit.version from 5.13.0 to 5.13.1 (#​7719)

See the full listing of changes

v12.1.2

Compare Source

• fix: Allow configuring OSS Index user/pw directly (#​7640)
• fix: remove vulnerable transitive dependency - beanutils (#​7705)
• fix: Simplify PHP framework suppression for Composer (#​7693)
• fix: update CPE pattern to remove FP (#​7684)
• fix(cli): Patch generated Windows shell script for JAVACMD installs with spaces (#​7653)
• fix: Resolve various WCAG accessibility / css issues in the HTML report (#​7629)
• fix: #​7510 Display a dedicated message when receiving an HTTP 403 (#​7575)
• docs: Make Vulnerability Sources in Related Work clearer (#​7691)
• docs: #​7610 add a reference to NVD mirroring in getting started documentation (#​7611)

See the full listing of changes

v12.1.1

Compare Source

• fix: resolve NVD data Parse error com.fasterxml.jackson.core.JsonParseException: Unexpected character (']' (code 93))
  • bump open-vulnerability-client from 7.3.1 to 7.3.2 (#​7577)
• fix: update links for repository move from jeremylong to the dependency-check organization (#​7373)
• fix: resolve NPE when processing CVE-2025-2682 (#​7558)
• fix: prevent rogue base suppression files (#​7544)
• fix: #​6819 handle invalid toml file (#​7548)
• fix: Use unscored severity only in absence of any CVSS baseScore (#​7530)
• fix: protect against exotic version number of yarn (#​7525)
• fix: Ignore require-bundle MANIFEST.MF entry for evidence (#​7523)
• fix: avoid error on yarn berry audit when no vulnerability found (#​7501)
• fix: improve null checks in Downloader (#​7493)
• fix: improve null checks resolves dependency-check/dependency-check-gradle#441
• fix: Avoid FPs when Composer product name has php (#​7486)
• fix: cli not honoring window paths correctly (#​7470)
• fix: Also apply muteNoisyLoggers to UpdateMojo (#​7469)
• fix: Make HC5 Downloader honor the connection- and readTimeout settings that the old URLConnectionFactory based downloads observed (#​7437)
• docs: sync the supported Maven version with the one stated in the system requirement section (#​7570)
• docs: update proxy config documentation (#​7550)
• docs: Remove copyright as requested by the Apache foundation
• docs: drop redundant text in the Internet Access Required section (#​7521)
• docs: correct gradle documentation (#​7511)

See the full listing of changes

v12.1.0

Compare Source

• build(deps): bump open-vulnerability-client to 7.2.2 (#​7407)
  • resolves issue with downloading data from the NVD (#​7406)
• fix: Improve thread safety issue #​7338 alternative (#​7367)
• feat: Implement Yarn Berry Analyser (#​7319)

See the full listing of changes

v12.0.2

Compare Source

• fix: correct JSON report error (#​7350)
• fix: some compatability issues in the gitlab report (#​7349)
• fix: ArtifactoryAnalyzer updated to use the HTTPClient5-based Downloader and skip unusable results (#​7293)
• chore: allow messages via EngineVersionCheck (#​7353)
• chore: switch from javax.json to jakarta.json (#​7326)

See the full listing of changes.

v12.0.1

Compare Source

• docs: Fix OSS Index Maven config documentation (#​7322)
• Fix OSS Index Maven config documentation
• chore(docs): Document Gradle plugin support for failBuildOnUnusedSuppressionRule (#​7307)
• chore(docs): Correct analyzers config example to use Gradle dot-syntax (#​7305)
• fix: improve error message on improperly configured serverId credentials in settings.xml (#​7313)
• fix: Lower Basic serverId when Bearer was expected to a warning
• fix: improve error message on improperly configured serverId credentials
• fix: Correct nonProxyHosts support when no sys properties set (#​7306)
• core(docs): Group failBuildOnUnusedSuppressionRule flag next to suppression file configuration
• core(docs): Update Gradle plugin documentation for failBuildOnUnusedSuppressionRule support
• fix: Correct nonProxyHosts support when no sys properties set
• chore(docs): Correct analyzers config example to use Gradle dot-syntax

See the full listing of changes.

v12.0.0

Compare Source

• BREAKING CHANGE: report on CVSS v4 (#​7204)
  • the schema has been updated to include CVSS v4 for JSON and XML reports
• feat: show from which dependency the CVE comes in failure report (#​7224)
• feat: Use Maven settings decryption API for decrypting secrets from settings.xml (#​7284)
• feat: Extend authentication to support Bearer token for many resources (#​7277)
• feat: Add a flag to fail when one or more suppression rules are not used (#​7244)
• fix: add product evidence as vendor to reduce FN (#​7295)
• fix: Make the HTTP-Client use pre-emptive authentication (#​7255)
• fix: Add the missing proxy credentials for suppressionFileUser/Password authentication scenario
• fix: increase max retry count (#​7252)
• fix: Make the HTTP-Client use pre-emptive authentication for configured server credentials and extend HTTPClient usage to Nexus search
• fix: Tranform into UTC the last modified date from database (#​7222)

See the full listing of changes.

v11.1.1

Compare Source

• fix: re-enable issue locking (#​7220)
• fix: add username/password properties to be able to authenticate for central.content.url and analyzer.central.url again (#​7169)
• fix: rework replaceOrAddVulnerability (#​7177)
• fix: do not log loading of JDBC driver (#​7155)
• fix: expose flag to disable version check (#​7147)
• fix: Gracefully handle CVEs with bad configuration nodes missing CPE match expressions (#​7125)
• chore: cleanup base suppression (#​7138)
• docs: update gradle configuration documentation (#​7176)
• docs: update documentation for Gradle plugin (#​7143)
• docs: improve false positive issue templat (#​7130)

See the full listing of changes.

v11.1.0

Compare Source

• feat: PHP Composer Analyzer now scans packages-dev by default (#​7114)
  • Users can configure if packages-dev should be skipped
• fix(regression): re-add h2 database driver name (#​7115)
• fix(regression): Make the Downloader honour the proxy.nonproxyhosts ODC Setting (#​7077)
• fix: do not set legacy proxy from maven or env (#​7072) (#​7074)
• docs: add missing documentation for the MS Build Analyzer (#​7113)
• docs: Document the breaking change for Maven plugin as reporting plugin (#​7079)

See the full listing of changes.

v11.0.0

Compare Source

• breaking change: Switch from JMockit to Mockito & build target to Java 11 (#​6922)
  • dependency-check now requires a minimum of Java 11.0 to run
• breaking change: bump com.h2database:h2 from 2.1.214 to 2.3.232 (#​6132)
  • H2 databases generated with an older version of ODC will not work with ODC 11.0.0; a new H2 db must be generated
• breaking change: Maven plugin updated to Doxia 2.x reporting stack
  • Users of the Maven plugin that configure it as a reporting plugin will need to use maven-site-plugin 3.20.0 or later (#​6959)
• feat: Replace old Downloader by an Apache HTTPClient based downloader
• feat: Use Apache HTTPClient for downloads of public resources (#​6949)
• feat: Also make NodeAuditSearch usr our HTTPClient based connections
• feat: Also make OSSIndexAnalyzer use our HTTPClient based connections
• feat: Migrate CentralSearch to use Apache HTTP-client via Downloader
• feat: Extend apache HTTP-client usage to EngineVersionCheck
• feat: Remove the need to specify dbDriver for external databases using JDBCv4 ServiceLoader supporting JDBC drivers (#​6938)
• fix: use latest generated suppressions (#​7064)
• fix: Fixup parameter sequence for Dowloader credentials (#​7033)
• fix: Fixup the missing addition of NVD API Datafeed credentials (if configured)
• fix: Fixup broken proxy authentication in first attempt; extend to include KEV downloads
• fix: store timestamps locally for local resources (#​6936)
• build: Remove the animal-sniffer, propagate java version to plugin-archetype (#​6950)
• build: Update Checkstyle configuration and Suppression DTD references (#​6951)
• chore: Update test db schema (#​7036)
• chore: remove old, unneeded database upgrade script
• docs: reformat javadoc (#​7009)
• docs: Fixup javadoc warnings (#​6995)
• chore: Replace use of several deprecated methods/classes by their successors (#​6933)

See the full listing of changes.

v10.0.4

Compare Source

• build(deps): exclude unused dependency (#​6916)
• fix: improve regex (#​6917)
• fix: correctly handle null values in cpeMatch (#​6915)
• fix(site): Update Fluido skin to resolve broken fork-me-on-github image (#​6914)
• fix: do not report over 100% download complete (#​6899)
• fix: Correct spelling of occurring in NvdApiDataSource.java (#​6883)
• fix: skip blank lines in requirements.txt (#​6867)
• fix: correct percentage calculation (#​6868)
• docs: remove old recommendation (#​6860)

See the full listing of changes.

v10.0.3

Compare Source

• feat: Enable configuration of a lower resultsPerPage on NVD API (#​6843)
• build(deps): bump open-vulnerability-clients from 6.1.6 to 6.1.7 (#​6848)
• build(deps): bump JamesIves/github-pages-deploy-action from 4.6.1 to 4.6.3 (#​6814)
• build(deps): bump org.codehaus.mojo:versions-maven-plugin from 2.16.2 to 2.17.0 (#​6762)
• build(deps): bump org.apache.maven.plugins:maven-checkstyle-plugin from 3.3.1 to 3.4.0 (#​6815)
• build(deps): bump golang from 1.22.4-alpine to 1.22.5-alpine (#​6805)

See the full listing of changes.

v10.0.2

Compare Source

Mandatory Upgrade - due to older versions of dependency-check causing numerous, spurious requests that end in processing failures, this upgrade is mandatory so that the NVD can differentiate valid requests and block the old clients.

• build(deps): bump open-vulnerability-clients (#​6810)
• fix(db): #​6788 removing redundant db index "idxVulnerability" on "vulnerability.cve" (#​6807)
• docs: Further improve formatting and docs of H2 database caching strats (#​6804)
• fix: update_vulnerability in dbStatements_oracle.properties (#​6803)
• fix: fix NPE (#​6778)
• fix: add hint to resolve false negative (#​6802)
• chore: update configure (#​6794)

See the full listing of changes.

v10.0.1

Compare Source

• build(deps): bump open-vulnerability-client (#​6772)
• fix: remove debug logging (#​6770)
• fix: postgresql column count error (#​6773)
• fix: mssql column name and version (#​6761)
• docs: update supported versions (#​6771)

See the full listing of changes.

v10.0.0

Compare Source

• breaking change: upgrade to dotnet 8.0 (#​6580)
  • Users of the AssemblyAnalyzer must upgrade/utilize dotnet 8 to analyze assemblies
• feat: fix the NVD API related errors by adding cvssV4 support (#​6756)
  • breaking changes: anyone utilizing a centralized database will need to upgrade the schema; see changes in PR #​6756
• fix: avoid escaping unnecessary chars in HTML report suppression regexes (#​6749)
• fix: #​6688 Trim version number when parsing POM (#​6705)
• fix: change request if lockfile is file v3 (#​6690)
• fix: skip pyproject.toml unless it contains tool.poetry before ensuring lockfiles (#​6681)

See the full listing of changes.

v9.2.0

Compare Source

• docs: update logo per intellj (#​6660)
• feat: Carthage analyzer (#​6614)
• fix: Ensure valid JSON output for gitlab report (#​6630)
• feat: Support Package.swift version 3 Specification (#​6578)
• chore: Update the packaged suppressions to include new hosted suppressions (#​6567)

See the full listing of changes.

v9.1.0

Compare Source

• feat: Add v2 support for maven_install.json (#​6528)
• build(deps): bump open-vulnerability-client (#​6554)
  • resolves update issues due to CVSS Metrics 4.0
• build(deps): bump jackson.version from 2.16.0 to 2.16.1 (#​6353)
• build(deps): bump org.jsoup:jsoup from 1.16.2 to 1.17.2 (#​6362)
• build(deps): bump golang from 1.21.5-alpine to 1.22.1-alpine (#​6506)

See the full listing of changes.

v9.0.10

Compare Source

• fix: #​4321 Suppress redis server CVEs for client libraries (#​4321) (#​6489)
• fix: bump commons-compress from 1.25.0 to 1.26.0 to fix CVE-2024-25710 and CVE-2024-26308 (#​6492)
• feat: Allow to pass NVD API key via environment variable (#​6454)
• fix: issue 5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies - adding synchronized block (#​6501)
• docs: document the default data directory (#​6484)
• fix: prevent NPE in bundler audit (#​6462)
• fix: #​6441 Improve suppression rule to not restrict to a single version (#​6442)

See the full listing of changes.

v9.0.9

Compare Source

• fix: for #​6374 to delete non-empty directories (#​6375)
• fix: NoSuchMethodError closeQuietly(java.io.Closeable[]) (#​6377)
• chore: close stream to prevent possible resource leak (#​6382)
• docs: Document default for CLI --data (#​6359)
• docs: document gradle build (#​6371)

See the full listing of changes.

v9.0.8

Compare Source

• fix: favor stability over performance (#​6349)
• chore: replace commons-io with core java calls (#​6343)
• fix: improve error reporting for invalid H2 database (#​6339)
• fix: rework fix for closing input streams on errors correctly (#​6338)
• fix: reduce chance NVD API block updates due to rate limit (#​6333)
• fix: ensure open handles will not leak on errors (#​6326)
• fix: improve error reporting (#​6324)

See the full listing of changes.

v9.0.7

Compare Source

• docs: document insecure configuration for GHSA-qqhq-8r2c-c3f5 (#​6315)
• fix: improve memory usage on NVD update (#​6321)
• fix: skip pyproject.toml unless it contains tool.poetry (#​6316)
• fix: resolve build error that may cause an issue on some JDK versions (#​6312)

See the full listing of changes.

v9.0.6

Compare Source

• build: bump open-vulnerability-clients@​5.1.1 (#​6308)
• fix: mask nvd.api.key in logs; see GHSA-qqhq-8r2c-c3f5 (#​6307)
• fix: update java version check (#​6297)
• fix: more efficient memory usage (#​6299)
• fix: stream NVD data via Jackson to reduce memory footprint (#​6275)
• docs: document github action caching (#​6301)

See the full listing of changes.

v9.0.5

Compare Source

• fix: make NVD API endpoint configurable (#​6287)
• fix: synch last modified timestamp for NVD API (#​6281)
• fix: read NVD cache meta files if cache.properties does not exist (#​6282)
• fix: correct property for nonProxyHosts (#​6285)
• fix: reduce apache http logging (#​6280)
• fix: store last modified timestamp for RetireJS and the Hosted Suppression File in db (#​6271)
• build: bump golang in the docker image (#​6274)
• fix: use temporary files to reduce memory usage during the NVD Update (#​6270)
• fix: use BIT for Oracle DB instead of Boolean when calling prepared statements (#​6264)
• fix: showing all reference tags in reports (#​6259)

See the full listing of changes.

v9.0.4

Compare Source

• fix: utilize maven proxy if present (#​6255)
• fix: allow api key in cli to be quoted (#​6253)
• fix: use correct maven plugin reporting plugin (#​6244)
• fix: correct trailing comma in JSON report (#​6245)

See the full listing of changes.

v9.0.3

Compare Source

• fix: use Java properties for proxy configuration (#​6238)
• docs: update proxy configuration documentation (#​6237)
• docs: add documentation on caching (#​6204)
• docs: Clarify H2 database caching strategy (#​6220)
• docs: Update list of supported report formats (#​6224)
• docs: example 5 with new nvdDatafeedUrl parameter (#​6215)
• fix: prevent NPEs (#​6232 and #​6206)
• fix: check valid for hours for NVD API (#​6225)
• fix: correct NVD cache last checked logic (#​6218)
• fix: nvd datafeed should process current year (#​6213)
• fix: correct references to cvssv2 and cvssv3 fields in json and xml reports (#​6212)
• fix: correct name on reference links in report (#​6205)
• fix: flaws int the gitlab report (#​6193)

See the full listing of changes.

v9.0.2

Compare Source

• fix: remove virtual match string on NVD API Request (#​6177)
• fix: correct meta data in report after switching the NVD API (#​6154)
• fix: retry HTTP connections to NVD on 502 and 504 errors (#​6151)
• fix: Gitlab report format needs severity capitalized (#​6182)
• fix: improve JDK update version parsing (#​6163)
• fix: mute JCS logging (again) (#​6153)

See the full listing of changes.

v9.0.1

Compare Source

• fix: #​4321 Suppress redis server CVEs for client libraries (#​4321) (#​6489)
• fix: bump commons-compress from 1.25.0 to 1.26.0 to fix CVE-2024-25710 and CVE-2024-26308 (#​6492)
• feat: Allow to pass NVD API key via environment variable (#​6454)
• fix: issue 5452 - ConcurrentModificationException in NodePackageAnalyzer.processDependencies - adding synchronized block (#​6501)
• docs: document the default data directory (#​6484)
• fix: prevent NPE in bundler audit (#​6462)
• fix: #​6441 Improve suppression rule to not restrict to a single version (#​6442)

See the full listing of changes.

v9.0.0

Compare Source

breaking changes: See the upgrade notice

• feat: Utilize NVD API (#​5978)
• feat: gitlab dependency scanner report format #​5919 (#​5920)
• fix: Use ASCII apostrophe for console message (#​6076)

See the full listing of changes.

v8.4.3

Compare Source

• fix: bump jcs3 (#​6047)
• docs: Corrected docs on hostedSuppressions (#​6035)

See the full listing of changes.

v8.4.2

Compare Source

• fix: correct log configuration in cli (#​6002)

See the full listing of changes.

v8.4.1

Compare Source

Fixed

• fix: upgrade to JCS3 (#​5114)
• fix: Support ~= version specifier in requirements.txt and pipfile (#​5902)
• fix: Version of dependency no longer ignored when CPE product has a 'java' suffix in a product name (#​5901)
• fix: Do not filter out evidences added by hints (#​5900)
• fix: fixes FP #​5925 (#​5927)

See the full listing of changes.

v8.4.0

Compare Source

Added

• feat: Add support for Nexus v3 to NexusAnalyzer (#​5849)

Fixed

• fix: Hint Analyzer should run before VersionFilter Analyzer (#​5818)
• chore: switch to sha1-pinning as suggested by Semgrep
• fix: OSS Index Analyzer SocketTimeoutException exception handling based on warn only parameter (#​5845)
• fix: use curl with -L to follow github redirect (#​5808)
• fix: use curl with -L to follow github redirect
• fix: #​5671 out of memory error (#​5789)
• fix: #​5671 Exit method as soon as we detect a loop to prevent an infinite loop leading to an OutOfMemoryError

See the full listing of changes.

v8.3.1

Compare Source

Re-release of 8.3.0 as 8.3.1.

v8.3.0

Compare Source

Added

• Add LibmanAnalyzer (#​5652)
• Update HTML report Dependencies header based on display settings (#​5619)
• Add link to suppressed vulnerabilities header in HTML report (#​5620)
• Enable local proxy configuration in maven plugin configuration (#​5696)

Fixed

• Fix npm alias present in requires of dependencies (#​5703)
• Make Central URL configurable via CLI (#​5667)
• Ensure support of CVSSv3.1 (#​5602)

See the full listing of changes.

v8.2.1

Compare Source

Fixed

• NullPointerException in MSBuildAnalyzer (#​5589)
• SQL Syntax for Oracle (#​5590)
• Use https:// URLs in report templates (#​5582)

See the full listing of changes.

v8.2.0

Compare Source

Added

• Support msbuild Directory.build.props (#​5475)
• better display of NPM audit references
• Add CVSS V3 results from NPM Audit results

Fixed

• Fix several issues on NPM Audit reporting (#​5546)
• Case issue in SQL (#​5557)
• Fix CWE(s) extraction for NPM Audit advisories
• Use the stable github_advisory_id instead of the now unstable id in NPM audit results

See the full listing of changes.

v8.1.2

Compare Source

Fixed

• Fix NullPointerException in the Jar Analyzer introduced in 8.1.1 (#​5512)

See the full listing of changes.

v8.1.1

Compare Source

Fixed

• allow hosted suppressions file to be disabled (#​5509)
• Several FPs not suitable for our automation (#​5504)
• Fix incorrect defaults for nexus and central-analyzer in gradle plugin documentation (#​5503)
• Erroneous error-log for deprecated CLI flag usage when using properyfile based disablement of Node Audit Analyzer (#​5487)
• Prefer pom.properties G/A/V over pom.xml G/A/V to resolve GAV interpolation issues (#​5473)
• Node package dependencies ending up as related dependency of the wrong version of the package (#​5479)
• do not throw error if pyproject.toml is in node_modules (#​5470)

See the full listing of changes.

v8.1.0

Compare Source

Added

• Pipefile.lock files are now supported ([#​5404](https://redirect.gi