OWASP Dependency-Check is one of the most popular open-source Software Composition Analysis tools. With over 290 contributors and 82 releases, it has been a cornerstone of the open-source security community for years.
It identifies known vulnerabilities in project dependencies using the National Vulnerability Database (NVD).
What is OWASP Dependency-Check?
OWASP Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed vulnerabilities.
It can be used as a command-line tool, Maven/Gradle plugin, Ant task, or Jenkins plugin.
The tool is maintained by OWASP and has been a staple in the open-source security community for years.
Key Features
NVD Integration
Uses the National Vulnerability Database:
- CVE vulnerability matching
- CPE (Common Platform Enumeration) identification
- Regular database updates
- Offline mode support
Multi-Platform Support
Analyzes dependencies for:
- Java (Maven, Gradle)
- .NET (NuGet)
- JavaScript (npm)
- Python (pip)
- Ruby (Bundler)
- Go modules
Multiple Report Formats
Generate reports in:
- HTML (default)
- JSON
- XML
- CSV
- SARIF (for GitHub integration)
Installation
Command Line
# Download and extract
wget https://github.com/jeremylong/DependencyCheck/releases/download/v8.x.x/dependency-check-8.x.x-release.zip
unzip dependency-check-*.zip
# Run scan
./dependency-check/bin/dependency-check.sh --project MyProject --scan ./
Maven Plugin
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>8.x.x</version>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
Gradle Plugin
plugins {
id 'org.owasp.dependencycheck' version '8.x.x'
}
dependencyCheck {
failBuildOnCVSS = 7
}
CI/CD Integration
GitHub Actions
- name: OWASP Dependency Check
uses: dependency-check/Dependency-Check_Action@main
with:
project: 'My Project'
path: '.'
format: 'HTML'
- name: Upload Report
uses: actions/upload-artifact@v3
with:
name: dependency-check-report
path: reports/
Jenkins
Use the OWASP Dependency-Check Jenkins plugin for integration with Jenkins pipelines.
Configuration Options
Common configuration settings:
| Option | Description |
|---|---|
failBuildOnCVSS | Fail build if CVSS score exceeds threshold |
suppressionFile | XML file for suppressing false positives |
data.directory | Local database storage location |
nvd.api.key | NVD API key for faster updates |
Suppressing False Positives
Create a suppression file to ignore false positives:
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress>
<notes>False positive for internal library</notes>
<cpe>cpe:/a:example:internal-lib</cpe>
<cve>CVE-2021-12345</cve>
</suppress>
</suppressions>
NVD API Key
Starting in 2023, an NVD API key is recommended for faster database updates:
./dependency-check.sh --nvdApiKey YOUR_API_KEY --project MyProject --scan ./
Get your free API key at: https://nvd.nist.gov/developers/request-an-api-key
Limitations
- Relies on NVD data accuracy
- May produce false positives
- Database updates can be slow without API key
- Limited reachability analysis
When to Use Dependency-Check
OWASP Dependency-Check is ideal for:
- Organizations needing free SCA
- CI/CD pipeline integration
- Compliance requirements (PCI DSS, etc.)
- Quick vulnerability assessments