An SBT plugin that integrates OWASP DependencyCheck to monitor project dependencies for publicly known vulnerabilities and generate detailed security reports.
SBT Plugin for OWASP DependencyCheck. Monitor your dependencies and report if there are any publicly known vulnerabilities (e.g. CVEs).
This tool is used by Scala developers and DevSecOps teams to automatically scan project dependencies for known vulnerabilities such as CVEs. It helps maintain secure software by integrating vulnerability checks into the build process, providing timely reports to address security risks early in development.
This plugin requires an NVD API key for optimal functionality due to changes in NVD data feed policies. Initial scans may take several minutes as the local vulnerability database is populated. It is recommended to regularly update the NVD cache to maintain up-to-date vulnerability data.
Add the plugin to your project configuration with: addSbtPlugin("net.nmoncho" % "sbt-dependency-check" % "1.8.1")
Ensure your SBT version is at least 1.9.0
Set your NVD API key in build.sbt using: dependencyCheckNvdApi := NvdApiSettings("YOUR_NVD_API_KEY")sbt -Dlog4j2.level=info dependencyCheck
Runs the dependency check against the project and generates a vulnerability report.
dependencyCheckAggregate
Runs dependency-check on project aggregates and combines the results into a single report.
dependencyCheckAllProjects
Runs dependency-check against all projects and combines the results into a single report.
dependencyCheckUpdate
Updates the local cache of the NVD data from NIST.
dependencyCheckPurge
Deletes the local copy of the NVD data to force a refresh.
dependencyCheckListSettings
Lists the settings used during the analysis.
dependencyCheckListUnusedSuppressions
Lists unused suppression rules.