DependencyCheck

DependencyCheck is an open-source software composition analysis tool originally developed under the OWASP umbrella. It scans project dependencies and their versions to identify known vulnerabilities by mapping them to publicly disclosed advisories.

The tool operates by analyzing build manifests and artifacts to enumerate dependencies, then cross-referencing them against

DependencyCheck supports a wide range of ecosystems, including Java (Maven, Gradle), .NET (NuGet), Node.js (npm, Yarn),

Limitations include dependence on the timeliness and completeness of vulnerability feeds, which may result in missed