Dependency-Check

Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.

Documentation and links to production binary releases can be found on the github pages. Additionally, more information about the architecture and ways to extend dependency-check can be found on the [wiki].

Notice

This product uses the NVD API but is not endorsed or certified by the NVD.

Mandatory Upgrade to 12.1.0+

Due to NVD API compatibility changes, an upgrade is mandatory. See #7463 for more information.

Breaking Changes in 11.0.0

• Java 11 is now required to run dependency-check 11.0.0 or higher

• H2 database upgrade

  11.0.0 contains breaking changes using the local H2 database. A full download of the NVD data will occur. Note that if you are using a shared data directory the h2 database file is not compatible with older versions of dependency-check. If you run into problems you may need to run a purge:

  • gradle: ./gradlew dependencyCheckPurge
  • maven: mvn org.owasp:dependency-check-maven:11.0.0:purge
  • cli: dependency-check.sh --purge

Other notices

NVD API Key Highly Recommended

Dependency-check moved from using the NVD data-feed to the NVD API since 9.0.0+ (January 2024). Users of dependency-check are highly encouraged to obtain an NVD API Key; see https://nvd.nist.gov/developers/request-an-api-key Without an NVD API Key dependency-check's updates will be extremely slow. Please see the documentation for the cli, maven, gradle, or ant integrations on how to set the NVD API key.

The NVD API Key, CI, and Rate Limiting

The NVD API has enforced rate limits. If you are using a single API KEY and multiple builds occur you could hit the rate limit and receive 403 errors. In a CI environment one must use a caching strategy.

OSSIndex API Token Now Required for usage

In September 2025 Sonatype OSSIndex started enforcing use of API tokens. If you wish to use Sonatype OSSIndex you must configure Dependency-Check to use a username and API token/password; see https://ossindex.sonatype.org/doc/api-token. Without OSSIndex credentials, Dependency Check will automatically disable the OSSIndex analyzer. Please see the documentation for the cli, maven, gradle, or ant integrations on how to set the OSSIndex credentials.

Gradle build Environment

With 9.0.0+ users may encounter issues with NoSuchMethodError exceptions due to dependency resolution. If you encounter this issue you will need to pin some of the transitive dependencies of dependency-check to specific versions. For example:

/buildSrc/build.gradle

dependencies {
    constraints {
        // org.owasp.dependencycheck needs at least this version of jackson. Other plugins pull in older versions..
        add("implementation", "com.fasterxml.jackson:jackson-bom:2.16.1")

        // org.owasp.dependencycheck needs these versions. Other plugins pull in older versions..
        add("implementation", "org.apache.commons:commons-lang3:3.14.0")
        add("implementation", "org.apache.commons:commons-text:1.11.0")
    }
}

Requirements

Java Version

Minimum Java Version: Java 11

Internet Access

OWASP dependency-check requires access to several externally hosted resources. For more information see Internet Access Required.

Build Tools

In order to analyze some technology stacks dependency-check may require other development tools to be installed. Some of the analysis listed below may be experimental and require the experimental analyzers to be enabled.

1. To analyze .NET Assemblies the dotnet 8 run time or SDK must be installed.
   • Assemblies targeting other run times can be analyzed - but 8 is required to run the analysis.
2. If analyzing GoLang projects go must be installed.
3. The analysis of Elixir projects requires mix_audit.
4. The analysis of npm, pnpm, and yarn projects requires npm, pnpm, or yarn to be installed.
   • The analysis performed utilize the respective audit feature of each.
5. The analysis of Ruby is a wrapper around bundle-audit, which must be installed.

Current Releases

Jenkins Plugin

For instructions on the use of the Jenkins plugin please see the OWASP Dependency-Check Plugin page.

Command Line

More detailed instructions can be found on the dependency-check github pages. The latest CLI can be downloaded from github in the releases section.

Downloading the latest release:

$ VERSION=$(curl -s https://dependency-check.github.io/DependencyCheck/current.txt)
$ curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip" --output dependency-check.zip

On *nix

$ ./bin/dependency-check.sh -h
$ ./bin/dependency-check.sh --out . --scan [path to jar files to be scanned]

On Windows

> .\bin\dependency-check.bat -h
> .\bin\dependency-check.bat --out . --scan [path to jar files to be scanned]

On Mac with Homebrew Note - homebrew users upgrading from 5.x to 6.0.0 will need to run dependency-check.sh --purge.

$ brew update && brew install dependency-check
$ dependency-check -h
$ dependency-check --out . --scan [path to jar files to be scanned]

Maven Plugin

More detailed instructions can be found on the dependency-check-maven github pages. By default, the plugin is tied to the verify phase (i.e. mvn verify). Alternatively, one can directly invoke the plugin via mvn org.owasp:dependency-check-maven:check.

The dependency-check plugin can be configured using the following:

<project>
    <build>
        <plugins>
            ...
            <plugin>
              <groupId>org.owasp</groupId>
              <artifactId>dependency-check-maven</artifactId>
              <executions>
                  <execution>
                      <goals>
                          <goal>check</goal>
                      </goals>
                  </execution>
              </executions>
            </plugin>
            ...
        </plugins>
        ...
    </build>
    ...
</project>

Gradle Plugin

For instructions on the use of the Gradle Plugin, please see the dependency-check-gradle github page.

Ant Task

For instructions on the use of the Ant Task, please see the dependency-check-ant github page.

Development Prerequisites

For installation to pass, you must have the following components installed:

• Java: java -version 25.0
• Maven: mvn -version 3.6.3 and higher

Tests cases require:

• dotnet core version 8.0
• Go: go version 1.12 and higher
• Ruby bundler-audit
• Yarn
• pnpm

Development Usage

The following instructions outline how to compile and use the current snapshot. While every intention is to maintain a stable snapshot it is recommended that the release versions listed above be used.

The repository has some large files due to test resources. The team has tried to clean up the history as much as possible. However, it is recommended that you perform a shallow clone to save yourself time:

git clone --depth 1 https://github.com/dependency-check/DependencyCheck.git

On *nix

$ mvn -s settings.xml install
$ ./cli/target/release/bin/dependency-check.sh -h
$ ./cli/target/release/bin/dependency-check.sh --out . --scan ./src/test/resources

On Windows

> mvn -s settings.xml install
> .\cli\target\release\bin\dependency-check.bat -h
> .\cli\target\release\bin\dependency-check.bat --out . --scan ./src/test/resources

Then load the resulting 'dependency-check-report.html' into your favorite br