DependencyCheck
by dependency-check
Dependency-Check is a software composition analysis tool that identifies publicly disclosed vulnerabilities in project dependencies by mapping them to known CVEs.
OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
Primary Use Case
This tool is primarily used by developers, security engineers, and DevSecOps teams to automatically scan application dependencies for known vulnerabilities, helping to manage and reduce risk in software supply chains. It integrates into build pipelines to provide continuous vulnerability detection and reporting.
- Detects publicly disclosed vulnerabilities in dependencies using CPE identifiers
- Generates detailed reports linking dependencies to CVE entries
- Supports integration with Maven, Gradle, CLI, and Ant build tools
- Uses the NVD API for up-to-date vulnerability data
- Supports local H2 database for caching vulnerability data
- Provides automation-friendly features for DevSecOps pipelines
- Open source with Apache 2.0 license
- Recognized and presented at multiple Black Hat Arsenal events
Installation
- Ensure Java 11 or higher is installed (required from version 11.0.0 onward)
- Download production binary releases from the official GitHub pages
- For Maven users, add the dependency-check-maven plugin to your project
- For Gradle users, apply the dependency-check plugin in your build script
- For CLI usage, download and run the dependency-check.sh script
- Optionally, purge local H2 database cache with commands like './gradlew dependencyCheckPurge', 'mvn org.owasp:dependency-check-maven:9.0.0:purge', or 'dependency-check.sh --purge' if upgrading or encountering issues
Usage
>_ ./dependency-check.sh --purgePurges the local H2 database cache to force a full NVD data download.
>_ ./dependency-check.sh --scan <path>Scans the specified project directory for vulnerable dependencies.
>_ mvn org.owasp:dependency-check-maven:checkRuns the Dependency-Check scan within a Maven build.
>_ ./gradlew dependencyCheckAnalyzeExecutes the dependency-check analysis task in a Gradle build.
- Integrate Dependency-Check into CI/CD pipelines for continuous vulnerability detection in dependencies.
- Combine with static application security testing (SAST) tools to enhance overall code security posture.
- Use reports to prioritize patching and remediation efforts based on CVE severity and exploitability.
- Leverage automation features to trigger alerts or block builds when high-risk vulnerabilities are detected.
- Extend tool capabilities by integrating with internal vulnerability management and ticketing systems.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about DependencyCheck. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
3 free chats per tool • Instant responses • No credit card
Related Tools
trivy
aquasecurity/trivy
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
nuclei
projectdiscovery/nuclei
Nuclei is a fast, customizable vulnerability scanner powered by the global security community and built on a simple YAML-based DSL, enabling collaboration to tackle trending vulnerabilities on the internet. It helps you find vulnerabilities in your applications, APIs, networks, DNS, and cloud configurations.
lynis
CISOfy/lynis
Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
vuls
future-architect/vuls
Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices
oss-fuzz
google/oss-fuzz
OSS-Fuzz - continuous fuzzing for open source software.
nuclei-templates
projectdiscovery/nuclei-templates
Community curated list of templates for the nuclei engine to find security vulnerabilities.