18 Pull requests merged by 6 people

• Update generatedSuppressions.xml

  #7893 merged Aug 27, 2025

• fix: npe when processing cve with empty configuration

  #7888 merged Aug 25, 2025

• build(deps): bump amannn/action-semantic-pull-request from 6.0.1 to 6.1.1

  #7886 merged Aug 25, 2025

• build(deps): bump com.github.spotbugs:spotbugs-maven-plugin from 4.9.3.2 to 4.9.4.0

  #7882 merged Aug 24, 2025

• docs: Clarify format of exclude patterns

  #7879 merged Aug 22, 2025

• build(deps): bump actions/setup-java from 4 to 5

  #7883 merged Aug 22, 2025

• build(deps): bump mockito.version from 5.18.0 to 5.19.0

  #7874 merged Aug 19, 2025

• build(deps): bump golang from 1.24.6-alpine to 1.25.0-alpine

  #7865 merged Aug 18, 2025

• build(deps): bump org.apache.maven.plugins:maven-javadoc-plugin from 3.11.2 to 3.11.3

  #7871 merged Aug 18, 2025

• build(deps-dev): bump io.netty:netty-codec-http from 4.2.3.Final to 4.2.4.Final

  #7866 merged Aug 15, 2025

• build(deps): bump amannn/action-semantic-pull-request from 5.5.3 to 6.0.1

  #7867 merged Aug 14, 2025

• build(deps): bump actions/checkout from 4 to 5

  #7861 merged Aug 13, 2025

• build(deps): bump com.github.spotbugs:spotbugs-annotations from 4.9.3 to 4.9.4

  #7859 merged Aug 11, 2025

• build(deps): bump golang from 1.24.5-alpine to 1.24.6-alpine

  #7858 merged Aug 8, 2025

• docs: Document poetry-based analysis behaviour in Python analyzer

  #7855 merged Aug 6, 2025

• fix: Return unsorted vulnerabilities in new HashSet, avoiding CoMod

  #7848 merged Aug 6, 2025

• build(deps): bump actions/download-artifact from 4 to 5

  #7856 merged Aug 6, 2025

• build(deps): bump org.apache.commons:commons-compress from 1.27.1 to 1.28.0

  #7839 merged Jul 30, 2025

4 Pull requests opened by 2 people

• build(deps): bump commons-cli:commons-cli from 1.9.0 to 1.10.0

  #7851 opened Aug 4, 2025

• build(deps): bump org.jsoup:jsoup from 1.21.1 to 1.21.2

  #7885 opened Aug 25, 2025

• fix: correctly utilize CVSSv4 from ossindex

  #7899 opened Aug 29, 2025

• fix: add CVSSv4 to suppressed entries in JSON report

  #7900 opened Aug 29, 2025

17 Issues closed by 5 people

• Could not connect to Central search. Analysis failed.

  #7896 closed Aug 30, 2025

• Change legacy central url

  #5827 closed Aug 30, 2025

• Dockerfile?

  #7897 closed Aug 29, 2025

• Dependency-Check update failure when Jenkins runs OWASP Dependency Check.

  #7895 closed Aug 28, 2025

• [FP]: jooq-meta-extensions-liquibase matches CPE liquibase:liquibase

  #7892 closed Aug 27, 2025

• NPE when processing CVE-2025-32915

  #7887 closed Aug 25, 2025

• I checked the issues list for existing open or closed reports of the same problem.

  #7881 closed Aug 22, 2025

• Unable to download NVD cve

  #7880 closed Aug 22, 2025

• java.lang.NullPointerException while processing CVE-2024-32849

  #7840 closed Aug 19, 2025

• org.owasp.dependencycheck-issue for different CPE

  #7868 closed Aug 16, 2025

• DatabaseException: Unable to parse CPE

  #7863 closed Aug 15, 2025

• Fails with Gradle 9

  #7850 closed Aug 12, 2025

• UpdateException: Error updating the NVD Data for 10.0.4

  #7847 closed Aug 6, 2025

• unable to scan jars using dependency check version 12.1.0 version

  #7782 closed Jul 31, 2025

• [FP]: quarkus-wiremock-1.5.0.jar

  #7841 closed Jul 30, 2025

• [FP]: False Positive for sqlite4java

  #7842 closed Jul 30, 2025

• [FP]: False positive for org.mortbay.jasper/apache-jsp@10.1.41

  #7804 closed Jul 30, 2025

25 Issues opened by 22 people

• Ability to group suppressions in suppressions.xml

  #7898 opened Aug 29, 2025

• Could you present a working set-up or project

  #7894 opened Aug 28, 2025

• [FP]: CVE-2019-20444 on netty-core

  #7891 opened Aug 27, 2025

• CVSSv4 score of vulnerability incorrectly given as CVSSv2 in reports

  #7890 opened Aug 26, 2025

• Replace the Legacy search.maven.org usage in Dependency download with Portal central.sonatype.com

  #7889 opened Aug 26, 2025

• Vulnerability is not reported when package-lock.json is without node_modules

  #7884 opened Aug 22, 2025

• include volta installation in cli image to support different versions of yarn

  #7877 opened Aug 19, 2025

• PE Analyzer throwing errors while scanning .dll files

  #7876 opened Aug 19, 2025

• [FP]: False positive findings in Dependency Checker for spring-binding

  #7875 opened Aug 19, 2025

• [FP]: False positive findings in Dependency Checker for Logback

  #7873 opened Aug 19, 2025

• [FP]: False positive findings in Dependency Checker for Oracle Database server

  #7872 opened Aug 18, 2025

• Consider returning a clear error message when NVD API key is invalid

  #7870 opened Aug 16, 2025

• [FP]: False positive for CVE-2019-3800 in solace-messaging-client

  #7869 opened Aug 15, 2025

• PublishedSuppressions.xml link being blocked at Network level.

  #7864 opened Aug 13, 2025

• [FP]: CVE-2025-5222 in org.graalvm.shadowed/icu4j@24.2.2

  #7862 opened Aug 13, 2025

• [FP]: False positive for CVE-2025-5222 in icu4j-77.1?

  #7860 opened Aug 11, 2025

• [FP]: Jetty false positive findings

  #7857 opened Aug 6, 2025

• [FP]: False positive for CVE-2024-7254 in protobuf-java-3.25.5

  #7854 opened Aug 4, 2025

• [FP]: False positive for CVE-2025-53689 in jackrabbit-data-2.22.0

  #7853 opened Aug 4, 2025

• Scanning with Gradle Plugin - Android Studio - Right approach to reduce false positives?

  #7852 opened Aug 4, 2025

• Dependency Check built in hints kick in and incorrectly flag a module as Spring when using GraalVM / Spring AOT

  #7849 opened Aug 1, 2025

• [FP]: False positive for cve-2017-7658 in apache-jsp

  #7846 opened Jul 31, 2025

• [FP]: False positive for cve-2017-7657 in apache-jsp

  #7845 opened Jul 31, 2025

• [FP]: Multiple false positives against grpc-netty-shaded-1.62.2.jar

  #7844 opened Jul 31, 2025

• java.lang.NoSuchMethodError: 'java.lang.String org.apache.commons.compress.compressors.gzip.GzipUtils'

  #7843 opened Jul 31, 2025

12 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• [FP]: JGit version with backported fix is marked vulnerable

  #7774 commented on Jul 30, 2025 • 0 new comments

• [FP]: CVE-2025-41234 falsely attributed to spring-web-5.3.39.jar

  #7744 commented on Jul 30, 2025 • 0 new comments

• CVE-2020-13091 linked to pandas 2.3.1

  #7834 commented on Aug 2, 2025 • 0 new comments

• Multiple false positive for ICU DLL

  #7337 commented on Aug 5, 2025 • 0 new comments

• Poetry and Archive analyzers fail when run together after building project

  #6356 commented on Aug 5, 2025 • 0 new comments

• Do not want to compile on java 11

  #7788 commented on Aug 6, 2025 • 0 new comments

• Support for NIST 2.0 data feeds

  #7514 commented on Aug 10, 2025 • 0 new comments

• [FP]: False positive for apache-el-11.0.0.jar against multiple jetty 11 CVE's

  #7835 commented on Aug 11, 2025 • 0 new comments

• Gradle task dependencyCheckUpdate fails with org.owasp....UpdateException: Error updating the NVD Data

  #7709 commented on Aug 28, 2025 • 0 new comments

• [RFE]: Possibility to configure URL to "Maven central"

  #7686 commented on Aug 30, 2025 • 0 new comments

• build(deps): bump org.semver4j:semver4j from 5.8.0 to 6.0.0

  #7776 commented on Jul 30, 2025 • 0 new comments

• build(deps): bump maven.api.version from 3.6.3 to 3.9.11

  #7816 commented on Aug 15, 2025 • 0 new comments