OWASP Developer Guide


5.2.1 Dependency-Check

OWASP Dependency-Check is a tool that provides Software Composition Analysis (SCA) from the command line. It identifies the third party libraries in a web application project and checks if these libraries are vulnerable using the NVD database.

Dependency-Check is an OWASP Flagship project and can be downloaded from the github releases area. Dependency-Check was started in September 2012 and since then has been continuously supported with regular releases.

What is Dependency-Check?

Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency.

The core engine contains a series of analyzers that inspect the project dependencies and identify the CPE for the given dependency. If a CPE is identified then it is cross referenced to the NIST CVE database and any associated Common Vulnerability and Exposure (CVE) entries are listed in the report.

Dependency-Check’s core analysis engine can be used as:

  • an Ant Task
  • a Command Line Tool
  • Gradle Plugin
  • Jenkins Plugin
  • Maven Plugin
  • SBT Plugin

Why use it?

Checking for vulnerable components, ‘A06 Vulnerable and Outdated Components’, is in the OWASP Top Ten and is one of the most straight-forward and effective security activities to implement. The Dependency-Check tool provides this check for vulnerable components for CI/CD pipelines using the plugins.

In addition this is an immediately useful for development teams; the ability to check for vulnerable application components from the command line gives immediate feedback to the developer without having to wait for a pipeline to run.

How to use it

The OWASP Spotlight series provides an example of the risks involved in using out of date and vulnerable libraries, and how to use Dependency-Check: ‘Project 2 - OWASP Dependency Check’.

Refer to the Dependency-Check documentation to get started running from the command line:

  • ensure Java is installed, for example from Eclipse Adoptium
  • download and unzip the latest Dependency-Check release
  • navigate to the Dependency-Check ‘bin’ directory and run, using threat Dragon as an example: ./dependency-check.sh --project "Threat Dragon" --scan ~/github/threat-dragon
  • open the html output file and act on the findings

The command line is useful for immediate debugging development. Depending on what automation environment is in place a plugin can also be installed into a pipeline which can then generate the SCA reports.

The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.