Update dependency org.owasp:dependency-check-maven to v12

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.owasp:dependency-check-maven (source)	11.1.0 → 12.2.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

dependency-check/DependencyCheck (org.owasp:dependency-check-maven)

v12.2.2

Compare Source

NOTE: The database schema was updated to fix #​8466 - if using an external database the update scripts must be run!

• feat: improve Sonatype Guide / OSS Index cache handling and insufficient credits error reporting (#​8451)
• feat: support and prefer githubID vuln identifiers from RetireJS (#​8419)
• fix(db): widen reference URL column to handle long Mozilla CVE URLs (#​8467)
• fix: add corepack to docker image (#​8386)
• fix: bump open-vulnerability-clients to resolve NVD timestamp parsing errors (#​8427)
• fix: de-duplicate and sort both includedBy and projectReferences in reports (#​8440)
• fix: migrate default OSS Index API URL to Sonatype Guide; supporting optional username (#​8404)
• docs: correct missing documentation for Gradle plugin (#​8431)
• docs: tweak docs site structure; documenting missing analyzers (#​8462)
• chore: remove spurious bundle-audit log line when there are no errors (#​8454)
• chore: tidy CHANGELOG formatting (#​8414)
• chore(fp): remove duplicate log4j FP suppressions (#​8468)
• build(deps): bump apache.ant.version from 1.10.16 to 1.10.17 (#​8416)
• build(deps): bump com.fasterxml.jackson:jackson-bom from 2.21.2 to 2.21.3 (#​8465)
• build(deps): bump com.google.guava:guava from 33.5.0-jre to 33.6.0-jre (#​8420)
• build(deps): bump com.mysql:mysql-connector-j from 9.6.0 to 9.7.0 (#​8445)
• build(deps): bump commons-codec:commons-codec from 1.21.0 to 1.22.0 (#​8453)
• build(deps): bump commons-io:commons-io from 2.21.0 to 2.22.0 (#​8448)
• build(deps): bump httpcomponents.client.version from 5.6 to 5.6.1 (#​8432)
• build(deps): bump joda-time:joda-time from 2.14.1 to 2.14.2 (#​8464)
• build(deps): bump org.apache.maven.plugins:maven-invoker-plugin from 3.9.1 to 3.10.0 (#​8452)
• build(deps): bump org.jsoup:jsoup from 1.22.1 to 1.22.2 (#​8437)
• build(deps): bump org.postgresql:postgresql from 42.7.10 to 42.7.11 (#​8463)
• build(deps): bump the actions-deps group with 8 updates (#​8472)

See the full listing of changes

v12.2.1

Compare Source

• fix(core): correct xml schema validation handling without needing external access (#​8272)
• fix(deps): upgrade slf4j and logback (#​8306)
• fix(test): disable pnpm analyzer during test (#​8305)
• fix: Correct published/hosted suppressions namespace header and indent (#​8258)
• fix: Suppress noisy WARN logging from Apache Lucene within Maven and Ant plugins (#​8248)
• fix: #​8140 AssemblyAnalyzer version resolution issue (#​8352)
• fix: #​8140 fix version resolution
• fix: #​8140 hint azure_identity_library_for_.net
• fix: #​8356 narrow down VersionFilterAnalyzer scope to JAR files (#​8358)
• fix: correct parsing for CVSSv4 strings with Provider Urgency (#​8377)
• fix: evidence source in Retire JS analyzer (#​8303)
• fix: exclude deprecations from Yarn Berry audit results (#​8380)
• fix: improve PEAnalyzer reliability by migrating to maintained PE/COFF 4J library fork (#​8245)
• fix: improve configuration consistency (casing) (#​8355)
• fix: improve logging of unexpected Java Errors during processing of NVD (#​8250)
• fix: raw type warning in ProcessReader (#​8324)
• fix: suppress false positives for zabbix-utils #​8087 (#​8218)
• fix: update docs (#​8405)
• fix: warn if deprecated configs are used (#​8366)
• docs: define schema locations in XML examples (#​8254)
• docs: document external data sources and hostnames (#​8219)
• docs: ensure OSS Index URL override is consistently documented (#​8338)
• docs: fix minor typo in README (#​8246)
• chore: avoid use of parent pom and maven properties where unnecessary (#​8322)
• chore: bump java development to 25.0 (#​8365)
• chore: fix Charset warnings; preferring typed charsets (#​8326)
• chore: fix Maven scm tags after 12.2.1-SNAPSHOT bump (#​8265)
• chore: pin GitHub actions to specific SHAs rather than mutable tags (#​8381)
• chore: remove unused properties and schemas (#​8378)
• test: Make tests locale independent (#​8328)
• test: #​8140 reproduce current behavior
• test: avoid polluting test classpaths with sample dependencies to be scanned (#​8267)
• build: improve GHA workflow experience for forks (#​8285)
• build: use maven jdk toolchains to build with Java 25; test against Java 11/17/21/25 (#​8292)

See the full listing of changes

v12.2.0

Compare Source

• feat: package and utilize generated suppression file (#​8116)
• feat: override pnpm audit registry parameter (#​8158)
• feat: support multiple cvssBelow thresholds per version (#​2563) (#​8024)
• feat: usage telemetry via scarf (#​8066)
• feat: add new suppression xsd allowing grouping of suppressions (#​7957)
• fix: add hint for Elastic APM Java agent CPE mapping (#​8200)
• fix: Allow NVD data feed metadata downloads to fail on 1st Jan while logging correct errors (#​8205)
• fix: correct XML/JSON report CVSS field & HTML report URL mappings (#​8156)
• fix: log GrokAssembly output when dotnet invocation fails (#​8141)
• fix: correct reliability of Central etc (JCS cache) analyzers on Java 25/Docker by making CLI classpath deterministic (#​8117)
• fix(ant): resolve relative paths against basedir (#​8202)
• fix(ant): resolve paths relative to basedir for suppression and output
• docs: Update & correct README (#​8166)
• docs: update suppression schema version (#​8136)
• docs: fix typos in some files (#​8135)
• chore: remove duplicate suppression rules from base that are in the generated branch (#​8138)
• chore: remove suppression rules that were deleted from the generatedSuppression branch (#​8119)
• build: transition dependency to org.eclipse.parsson groupId (#​8128)

See the full listing of changes

v12.1.9

Compare Source

• fix: correct bundle audit gem in Dockerfile (#​8121)
• fix: normalization during comparisons (#​8046)
• fix(fp): Improve false positive suppression for matches against golang web_project (#​8059)
• fix(fp): Consolidate/update icu4j suppressions for false positives (#​8062)
• fix(fp): Correct GRPC java suppressions for newer C/C++/native false positives (#​8063)
• fix(fp): Suppress false positive CPEs for protobuf-java per #​7854 (#​8064)
• docs: document multiple configurations for gradle (#​8111)
• docs: fix typos in some files (#​8106)
• docs: Update SBT plugin link; fix dead report link (#​8086)
• docs: fix #​8076 - Error in documentation "Suppressing False Positives" (#​8077)
• chore: Replace deprecated lucene methods (#​8079)

See the full listing of changes

v12.1.8

Compare Source

• fix: improve VulnerableSoftware comparison (#​8031)
• docs: Improve Gradle docs wrt experimental analyzers, use of Central and Proxy configuration (#​8036)
• docs: add note about central analyzer for gradle (#​8038)
• build: fix flaky central test (#​8039)

See the full listing of changes

v12.1.7

Compare Source

• fix: disable central analyzer after failures (#​7993)
• fix: Suppress JVM warnings from Lucene within CLI (#​8003)
• fix: Clean up Apache Lucene logging via SLF4j redirect (#​7979)
• fix: Correct Archive Analyzer behaviour on certain tgz archives (#​7986)
• fix: Update NVD CPE search URLs in generated reports to match new search interface (#​7970)
• fix: improve OSS Index Error Reporting (#​7977)
• fix(fp): Consolidate false positive suppression for false positives on Redis client libs (#​8017)
• fix(fp): Fix more common false positives for popular PHP/composer frameworks with generic names (#​7994)
• docs: improve slack notification documentation (#​8026)
• docs: Documentation artifactory settings fix (#​7999)
• docs: Clarify Nexus Analyzer requirements and usage (#​8000)
• build: Build amd64 and arm64 multi-platform Docker image (#​7952)

See the full listing of changes

v12.1.6

Compare Source

• fix: Disable OSS Index if its credentials are missing (#​7963)
• fix: Correct CVSSv4 parsing for low precision OSSIndex values (#​7935)
• fix(fp): Fix false positives for Redis Server against NPM/JS client libs (#​7942)
• docs: Fix legacy GitHub links within docs and CHANGELOG (#​7944)
• chore: fix version typo in security policy (#​7936)

See the full listing of changes

v12.1.5

Compare Source

• fix: Update to support OSS Index Authentication Requirements (#​7920)
  • Note: OSS Index will require authentication starting 9/22/2025. Users must configure a free account to continue using the OSS Index Analyzer.
• fix: add CVSSv4 to suppressed entries in JSON report (#​7900)
• fix: correctly utilize CVSSv4 from ossindex (#​7899)
• fix: npe when processing cve with empty configuration (#​7888)
• fix: Return unsorted vulnerabilities in new HashSet, avoiding CoMod (#​7848)
• fix: Return unsorted vulnerabilities in new HashSet, avoiding CoMod
• fix: class loading problem with fat jars (#​7786) (#​7787)
• fix: Improve Artifactory handler log message (#​7838)
• fix: classloading problem with fat jars (#​7786)
• fix: Add null checking when parsing the license json in AbstractNpmAnalyzer. (#​7784)
• fix(fp): resolves several false positives related to CVE-2021-41033 (#​7736)
• docs: Clarify format of exclude patterns (#​7879)
• docs: Document poetry-based analysis behaviour in Python analyzer (#​7855)
• docs: request FP reporters use the latest version of ODC. (#​7820)
• docs: update development pre-reqs (#​7792)
• docs: fix minor typos in false positive issue template (#​7763)

See the full listing of changes

v12.1.4

Compare Source

v12.1.3

Compare Source

• fix: correct regex matches introduced in 12.1.2 (#​7726)
• build(deps): bump org.semver4j:semver4j from 5.7.0 to 5.7.1 (#​7718)
• build(deps): bump junit.version from 5.13.0 to 5.13.1 (#​7719)

See the full listing of changes

v12.1.2

Compare Source

• fix: Allow configuring OSS Index user/pw directly (#​7640)
• fix: remove vulnerable transitive dependency - beanutils (#​7705)
• fix: Simplify PHP framework suppression for Composer (#​7693)
• fix: update CPE pattern to remove FP (#​7684)
• fix(cli): Patch generated Windows shell script for JAVACMD installs with spaces (#​7653)
• fix: Resolve various WCAG accessibility / css issues in the HTML report (#​7629)
• fix: #​7510 Display a dedicated message when receiving an HTTP 403 (#​7575)
• docs: Make Vulnerability Sources in Related Work clearer (#​7691)
• docs: #​7610 add a reference to NVD mirroring in getting started documentation (#​7611)

See the full listing of changes

v12.1.1

Compare Source

• fix: resolve NVD data Parse error com.fasterxml.jackson.core.JsonParseException: Unexpected character (']' (code 93))
  • bump open-vulnerability-client from 7.3.1 to 7.3.2 (#​7577)
• fix: update links for repository move from jeremylong to the dependency-check organization (#​7373)
• fix: resolve NPE when processing CVE-2025-2682 (#​7558)
• fix: prevent rogue base suppression files (#​7544)
• fix: #​6819 handle invalid toml file (#​7548)
• fix: Use unscored severity only in absence of any CVSS baseScore (#​7530)
• fix: protect against exotic version number of yarn (#​7525)
• fix: Ignore require-bundle MANIFEST.MF entry for evidence (#​7523)
• fix: avoid error on yarn berry audit when no vulnerability found (#​7501)
• fix: improve null checks in Downloader (#​7493)
• fix: improve null checks resolves dependency-check/dependency-check-gradle#441
• fix: Avoid FPs when Composer product name has php (#​7486)
• fix: cli not honoring window paths correctly (#​7470)
• fix: Also apply muteNoisyLoggers to UpdateMojo (#​7469)
• fix: Make HC5 Downloader honor the connection- and readTimeout settings that the old URLConnectionFactory based downloads observed (#​7437)
• docs: sync the supported Maven version with the one stated in the system requirement section (#​7570)
• docs: update proxy config documentation (#​7550)
• docs: Remove copyright as requested by the Apache foundation
• docs: drop redundant text in the Internet Access Required section (#​7521)
• docs: correct gradle documentation (#​7511)

See the full listing of changes

v12.1.0

Compare Source

• feat: Implement Yarn Berry Analyser (#​7319)
• fix: Improve thread safety issue #​7338 alternative (#​7367)
• build(deps): bump open-vulnerability-client to 7.2.2 (#​7407)
  • resolves issue with downloading data from the NVD (#​7406)

See the full listing of changes

v12.0.2

Compare Source

• fix: correct JSON report error (#​7350)
• fix: some compatability issues in the gitlab report (#​7349)
• fix: ArtifactoryAnalyzer updated to use the HTTPClient5-based Downloader and skip unusable results (#​7293)
• chore: allow messages via EngineVersionCheck (#​7353)
• chore: switch from javax.json to jakarta.json (#​7326)

See the full listing of changes.

v12.0.1

Compare Source

• fix: improve error message on improperly configured serverId credentials in settings.xml (#​7313)
• fix: Lower Basic serverId when Bearer was expected to a warning
• fix: improve error message on improperly configured serverId credentials
• fix: Correct nonProxyHosts support when no sys properties set (#​7306)
• docs: Fix OSS Index Maven config documentation (#​7322)
• chore(docs): Document Gradle plugin support for failBuildOnUnusedSuppressionRule (#​7307)
• chore(docs): Correct analyzers config example to use Gradle dot-syntax (#​7305)
• chore(docs): Group failBuildOnUnusedSuppressionRule flag next to suppression file configuration
• chore(docs): Update Gradle plugin documentation for failBuildOnUnusedSuppressionRule support
• chore(docs): Correct analyzers config example to use Gradle dot-syntax

See the full listing of changes.

v12.0.0

Compare Source

• BREAKING CHANGE: report on CVSS v4 (#​7204)
  • the schema has been updated to include CVSS v4 for JSON and XML reports
• feat: show from which dependency the CVE comes in failure report (#​7224)
• feat: Use Maven settings decryption API for decrypting secrets from settings.xml (#​7284)
• feat: Extend authentication to support Bearer token for many resources (#​7277)
• feat: Add a flag to fail when one or more suppression rules are not used (#​7244)
• fix: add product evidence as vendor to reduce FN (#​7295)
• fix: Make the HTTP-Client use pre-emptive authentication (#​7255)
• fix: Add the missing proxy credentials for suppressionFileUser/Password authentication scenario
• fix: increase max retry count (#​7252)
• fix: Make the HTTP-Client use pre-emptive authentication for configured server credentials and extend HTTPClient usage to Nexus search
• fix: Tranform into UTC the last modified date from database (#​7222)

See the full listing of changes.

v11.1.1

Compare Source

• fix: re-enable issue locking (#​7220)
• fix: add username/password properties to be able to authenticate for central.content.url and analyzer.central.url again (#​7169)
• fix: rework replaceOrAddVulnerability (#​7177)
• fix: do not log loading of JDBC driver (#​7155)
• fix: expose flag to disable version check (#​7147)
• fix: Gracefully handle CVEs with bad configuration nodes missing CPE match expressions (#​7125)
• docs: update gradle configuration documentation (#​7176)
• docs: update documentation for Gradle plugin (#​7143)
• docs: improve false positive issue templat (#​7130)
• chore: cleanup base suppression (#​7138)

See the full listing of changes.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.