Home

DependencyCheck

DependencyCheck is an open-source software composition analysis tool originally developed under the OWASP umbrella. It scans project dependencies and their versions to identify known vulnerabilities by mapping them to publicly disclosed advisories.

The tool operates by analyzing build manifests and artifacts to enumerate dependencies, then cross-referencing them against

DependencyCheck supports a wide range of ecosystems, including Java (Maven, Gradle), .NET (NuGet), Node.js (npm, Yarn),

Limitations include dependence on the timeliness and completeness of vulnerability feeds, which may result in missed

vulnerability
feeds
such
as
the
National
Vulnerability
Database
(NVD)
and
other
sources.
It
maintains
a
local
database
of
advisories
and
supports
regular
or
incremental
updates.
Results
list
affected
components,
associated
CVEs,
severities,
CVSS
scores,
and
recommended
mitigations.
Python
(pip),
PHP
(Composer),
Ruby
(RubyGems),
and
Go,
among
others.
It
can
parse
common
build
systems
and
analyze
both
source
and
binary
components.
The
tool
offers
a
command-line
interface
and
can
be
integrated
into
CI/CD
workflows
via
plugins
for
platforms
such
as
Jenkins,
Azure
DevOps,
and
GitHub
Actions.
Output
formats
include
HTML,
JSON,
XML,
CSV,
and
SARIF,
and
it
can
generate
a
Software
Bill
of
Materials
(SBOM)
to
assist
with
inventory
and
compliance
processes.
advisories
or
occasional
false
positives.
DependencyCheck
is
aimed
at
vulnerability
management
and
SBOM
generation
rather
than
license
analysis.
It
is
released
as
open-source
software
under
the
Apache
License
2.0.