Update dependency org.owasp:dependency-check-maven to v12

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.owasp:dependency-check-maven (source)	11.1.0 -> 12.1.8

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

dependency-check/DependencyCheck (org.owasp:dependency-check-maven)

v12.1.8

Compare Source

• fix: improve VulnerableSoftware comparison (#​8031)
• build: fix flaky central test (#​8039)
• docs: Improve Gradle docs wrt experimental analyzers, use of Central and Proxy configuration (#​8036)
• docs: add note about central analyzer for gradle (#​8038)

See the full listing of changes

v12.1.7

Compare Source

• fix: disable central analyzer after failures (#​7993)
• fix: Suppress JVM warnings from Lucene within CLI (#​8003)
• fix: Clean up Apache Lucene logging via SLF4j redirect (#​7979)
• fix: Correct Archive Analyzer behaviour on certain tgz archives (#​7986)
• fix: Update NVD CPE search URLs in generated reports to match new search interface (#​7970)
• fix: improve OSS Index Error Reporting (#​7977)
• fix(fp): Consolidate false positive suppression for false positives on Redis client libs (#​8017)
• fix(fp): Fix more common false positives for popular PHP/composer frameworks with generic names (#​7994)
• docs: improve slack notification documentation (#​8026)
• docs: Documentation artifactory settings fix (#​7999)
• docs: Clarify Nexus Analyzer requirements and usage (#​8000)
• build: Build amd64 and arm64 multi-platform Docker image (#​7952)

See the full listing of changes

v12.1.6

Compare Source

• fix: Disable OSS Index if its credentials are missing (#​7963)
• fix: Correct CVSSv4 parsing for low precision OSSIndex values (#​7935)
• fix(fp): Fix false positives for Redis Server against NPM/JS client libs (#​7942)
• docs: Fix legacy GitHub links within docs and CHANGELOG (#​7944)
• chore: fix version typo in security policy (#​7936)

See the full listing of changes

v12.1.5

Compare Source

• fix: Update to support OSS Index Authentication Requirements (#​7920)
  • Note: OSS Index will require authentication starting 9/22/2025. Users must configure a free account to continue using the OSS Index Analyzer. See https://ossindex.sonatype.org/doc/auth-required.
• fix: add CVSSv4 to suppressed entries in JSON report (#​7900)
• fix: correctly utilize CVSSv4 from ossindex (#​7899)
• fix: npe when processing cve with empty configuration (#​7888)
• fix: Return unsorted vulnerabilities in new HashSet, avoiding CoMod (#​7848)
• fix: Return unsorted vulnerabilities in new HashSet, avoiding CoMod
• fix: class loading problem with fat jars (#​7786) (#​7787)
• fix: Improve Artifactory handler log message (#​7838)
• fix: classloading problem with fat jars (#​7786)
• fix: Add null checking when parsing the license json in AbstractNpmAnalyzer. (#​7784)
• fix(fp): resolves several false positives related to CVE-2021-41033 (#​7736)
• docs: Clarify format of exclude patterns (#​7879)
• docs: Document poetry-based analysis behaviour in Python analyzer (#​7855)
• docs: request FP reporters use the latest version of ODC. (#​7820)
• docs: update development pre-reqs (#​7792)
• docs: fix minor typos in false positive issue template (#​7763)

See the full listing of changes

v12.1.4

Compare Source

v12.1.3

Compare Source

• fix: correct regex matches introduced in 12.1.2 (#​7726)
• build(deps): bump org.semver4j:semver4j from 5.7.0 to 5.7.1 (#​7718)
• build(deps): bump junit.version from 5.13.0 to 5.13.1 (#​7719)

See the full listing of changes

v12.1.2

Compare Source

• fix: Allow configuring OSS Index user/pw directly (#​7640)
• fix: remove vulnerable transitive dependency - beanutils (#​7705)
• fix: Simplify PHP framework suppression for Composer (#​7693)
• fix: update CPE pattern to remove FP (#​7684)
• fix(cli): Patch generated Windows shell script for JAVACMD installs with spaces (#​7653)
• fix: Resolve various WCAG accessibility / css issues in the HTML report (#​7629)
• fix: #​7510 Display a dedicated message when receiving an HTTP 403 (#​7575)
• docs: Make Vulnerability Sources in Related Work clearer (#​7691)
• docs: #​7610 add a reference to NVD mirroring in getting started documentation (#​7611)

See the full listing of changes

v12.1.1

Compare Source

• fix: resolve NVD data Parse error com.fasterxml.jackson.core.JsonParseException: Unexpected character (']' (code 93))
  • bump open-vulnerability-client from 7.3.1 to 7.3.2 (#​7577)
• fix: update links for repository move from jeremylong to the dependency-check organization (#​7373)
• fix: resolve NPE when processing CVE-2025-2682 (#​7558)
• fix: prevent rogue base suppression files (#​7544)
• fix: #​6819 handle invalid toml file (#​7548)
• fix: Use unscored severity only in absence of any CVSS baseScore (#​7530)
• fix: protect against exotic version number of yarn (#​7525)
• fix: Ignore require-bundle MANIFEST.MF entry for evidence (#​7523)
• fix: avoid error on yarn berry audit when no vulnerability found (#​7501)
• fix: improve null checks in Downloader (#​7493)
• fix: improve null checks resolves dependency-check/dependency-check-gradle#441
• fix: Avoid FPs when Composer product name has php (#​7486)
• fix: cli not honoring window paths correctly (#​7470)
• fix: Also apply muteNoisyLoggers to UpdateMojo (#​7469)
• fix: Make HC5 Downloader honor the connection- and readTimeout settings that the old URLConnectionFactory based downloads observed (#​7437)
• docs: sync the supported Maven version with the one stated in the system requirement section (#​7570)
• docs: update proxy config documentation (#​7550)
• docs: Remove copyright as requested by the Apache foundation
• docs: drop redundant text in the Internet Access Required section (#​7521)
• docs: correct gradle documentation (#​7511)

See the full listing of changes

v12.1.0

Compare Source

• build(deps): bump open-vulnerability-client to 7.2.2 (#​7407)
  • resolves issue with downloading data from the NVD (#​7406)
• fix: Improve thread safety issue #​7338 alternative (#​7367)
• feat: Implement Yarn Berry Analyser (#​7319)

See the full listing of changes

v12.0.2

Compare Source

• fix: correct JSON report error (#​7350)
• fix: some compatability issues in the gitlab report (#​7349)
• fix: ArtifactoryAnalyzer updated to use the HTTPClient5-based Downloader and skip unusable results (#​7293)
• chore: allow messages via EngineVersionCheck (#​7353)
• chore: switch from javax.json to jakarta.json (#​7326)

See the full listing of changes.

v12.0.1

Compare Source

• docs: Fix OSS Index Maven config documentation (#​7322)
• Fix OSS Index Maven config documentation
• chore(docs): Document Gradle plugin support for failBuildOnUnusedSuppressionRule (#​7307)
• chore(docs): Correct analyzers config example to use Gradle dot-syntax (#​7305)
• fix: improve error message on improperly configured serverId credentials in settings.xml (#​7313)
• fix: Lower Basic serverId when Bearer was expected to a warning
• fix: improve error message on improperly configured serverId credentials
• fix: Correct nonProxyHosts support when no sys properties set (#​7306)
• core(docs): Group failBuildOnUnusedSuppressionRule flag next to suppression file configuration
• core(docs): Update Gradle plugin documentation for failBuildOnUnusedSuppressionRule support
• fix: Correct nonProxyHosts support when no sys properties set
• chore(docs): Correct analyzers config example to use Gradle dot-syntax

See the full listing of changes.

v12.0.0

Compare Source

• BREAKING CHANGE: report on CVSS v4 (#​7204)
  • the schema has been updated to include CVSS v4 for JSON and XML reports
• feat: show from which dependency the CVE comes in failure report (#​7224)
• feat: Use Maven settings decryption API for decrypting secrets from settings.xml (#​7284)
• feat: Extend authentication to support Bearer token for many resources (#​7277)
• feat: Add a flag to fail when one or more suppression rules are not used (#​7244)
• fix: add product evidence as vendor to reduce FN (#​7295)
• fix: Make the HTTP-Client use pre-emptive authentication (#​7255)
• fix: Add the missing proxy credentials for suppressionFileUser/Password authentication scenario
• fix: increase max retry count (#​7252)
• fix: Make the HTTP-Client use pre-emptive authentication for configured server credentials and extend HTTPClient usage to Nexus search
• fix: Tranform into UTC the last modified date from database (#​7222)

See the full listing of changes.

v11.1.1

Compare Source

• fix: re-enable issue locking (#​7220)
• fix: add username/password properties to be able to authenticate for central.content.url and analyzer.central.url again (#​7169)
• fix: rework replaceOrAddVulnerability (#​7177)
• fix: do not log loading of JDBC driver (#​7155)
• fix: expose flag to disable version check (#​7147)
• fix: Gracefully handle CVEs with bad configuration nodes missing CPE match expressions (#​7125)
• chore: cleanup base suppression (#​7138)
• docs: update gradle configuration documentation (#​7176)
• docs: update documentation for Gradle plugin (#​7143)
• docs: improve false positive issue templat (#​7130)

See the full listing of changes.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.