Sourced from org.owasp:dependency-check-maven's releases.

Version 12.1.6

Refer to the CHANGELOG.md for information about improvements and upgrade notes.

Version 12.1.5

Refer to the CHANGELOG.md for information about improvements and upgrade notes.

Sourced from org.owasp:dependency-check-maven's changelog.

Version 12.1.6 (2025-09-24)

• fix: Disable OSS Index if its credentials are missing (#7963)
• fix: Correct CVSSv4 parsing for low precision OSSIndex values (#7935)
• fix(fp): Fix false positives for Redis Server against NPM/JS client libs (#7942)
• docs: Fix legacy GitHub links within docs and CHANGELOG (#7944)
• chore: fix version typo in security policy (#7936)

See the full listing of changes

Version 12.1.5 (2025-09-20)

• fix: Update to support OSS Index Authentication Requirements (#7920)
  • Note: OSS Index will require authentication starting 9/22/2025. Users must configure a free account to continue using the OSS Index Analyzer. See https://ossindex.sonatype.org/doc/auth-required.
• fix: add CVSSv4 to suppressed entries in JSON report (#7900)
• fix: correctly utilize CVSSv4 from ossindex (#7899)
• fix: npe when processing cve with empty configuration (#7888)
• fix: Return unsorted vulnerabilities in new HashSet, avoiding CoMod (#7848)
• fix: Return unsorted vulnerabilities in new HashSet, avoiding CoMod
• fix: class loading problem with fat jars (#7786) (#7787)
• fix: Improve Artifactory handler log message (#7838)
• fix: classloading problem with fat jars (#7786)
• fix: Add null checking when parsing the license json in AbstractNpmAnalyzer. (#7784)
• fix(fp): resolves several false positives related to CVE-2021-41033 (#7736)
• docs: Clarify format of exclude patterns (#7879)
• docs: Document poetry-based analysis behaviour in Python analyzer (#7855)
• docs: request FP reporters use the latest version of ODC. (#7820)
• docs: update development pre-reqs (#7792)
• docs: fix minor typos in false positive issue template (#7763)

See the full listing of changes

• 0a9592c build: prepare release v12.1.6
• c7e992c docs: release 12.1.6
• 93b0d1b build(deps): bump netty-codec-http from 5.2.4-final to 5.2.5-final (#7965)
• 22ecc0b fix: Disable OSS Index if its credentials are missing (#7963)
• 93422d2 chore: Allow passing ossIndex credentials during false positive ops workflow ...
• 34a1235 docs: Fix legacy GitHub links within docs and CHANGELOG (#7944)
• c44ba32 fix(fp): Fix false positives for Redis Server against NPM/JS client libs (#7942)
• 4af07cc docs: Implement #7808 to make changelog links clickable (#7945)
• 6008202 test: Fix AssemblyAnalyzerTest to be robust to Grok availability (#7950)
• b3aa3f2 build: replace deprecated jlink argument (#7953)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)