Dependency-Check – Software Composition Analysis Tool

Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.

Dependency-Check - OWASP Software Composition Analysis Tool
Dependency-Check – OWASP Software Composition Analysis Tool

Dependency-check can currently be used to scan Java and .NET applications to identify the use of known vulnerable components. Experimental analyzers for Python, Ruby, PHP (composer), and Node.js applications; these are experimental due to the possible false positive and false negative rates.

To use the experimental analyzers they must be specifically enabled via the appropriate experimental configuration. In addition, dependency-check has experimental analyzers that can be used to scan some C/C++ source code, including OpenSSL source code and projects that use Autoconf or CMake.

Development community include third party libraries in applications that contain well known published vulnerabilities (such as those at the National Vulnerability Database). This tool integration with the software analysis will allow to identify those security issues to fix them.

OWASP dependency-check’s core analysis engine can be used as:

  • Ant Task
  • Command Line Tool
  • Gradle Plugin
  • Jenkins Plugin
  • Maven Plugin – Maven 3.1 or newer required
  • SBT Plugin

You can read more and download the tool over here:

Notify of
Inline Feedbacks
View all comments