Dependency-Check is a software composition analysis tool that identifies publicly disclosed vulnerabilities in project dependencies by mapping them to known CVEs.
OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
This tool is primarily used by developers, security engineers, and DevSecOps teams to automatically scan application dependencies for known vulnerabilities, helping to manage and reduce risk in software supply chains. It integrates into build pipelines to provide continuous vulnerability detection and reporting.
Upgrading to version 10.0.2 or later is mandatory due to changes in how the tool interacts with the NVD API to reduce unnecessary load. Users are highly encouraged to obtain and configure an NVD API key to avoid slow updates and rate limiting issues. Java 11 is required from version 11.0.0 onward, and database cache incompatibilities require purging when upgrading. The tool is not endorsed by NVD despite using its API.
Ensure Java 11 or higher is installed (required from version 11.0.0 onward)
Download production binary releases from the official GitHub pages
For Maven users, add the dependency-check-maven plugin to your project
For Gradle users, apply the dependency-check plugin in your build script
For CLI usage, download and run the dependency-check.sh script
Optionally, purge local H2 database cache with commands like './gradlew dependencyCheckPurge', 'mvn org.owasp:dependency-check-maven:9.0.0:purge', or 'dependency-check.sh --purge' if upgrading or encountering issues./dependency-check.sh --purge
Purges the local H2 database cache to force a full NVD data download.
./dependency-check.sh --scan <path>
Scans the specified project directory for vulnerable dependencies.
mvn org.owasp:dependency-check-maven:check
Runs the Dependency-Check scan within a Maven build.
./gradlew dependencyCheckAnalyze
Executes the dependency-check analysis task in a Gradle build.