MavenDependencyCheck

An automation script to run OWASP Dependency-Check on multiple Maven Based projects.

This script basically clones the given repositories and builds them using maven. Once successful, it runs dependency-check on them and generates the reports

Requirements

• Python modules: os & shutil
• Maven: Installation instructions can be found here
• repo.conf containing the git commands to be run for cloning the projects

Example commands for repo.conf

git clone https://github.com/elderstudios/uni-dvwa-spring.git

Usage

python depcheck.py

And let the script do the magic

Tested and working fine on CentOS Linux release 7.6.1810 (Core) with Python 2.7.5.

Dependency: Unix/Linux environment

Note: Dependency check might need internet access to update the NVD Database for which a proxy might needed if you are in a restricted environment. To configure this script to use proxy for this use this sample code to configure your proxy settings and uncomment line 57 and comment out line 56. Refer: Dependency check Command Line Arguments
For running the mvn command using a proxy refer this article

Supported report formats

• XML
• HTML
• CSV
• JSON
• JUNIT
• SARIF
  Note: By default the script generates reports in all the formats, individual report format can be set using the -f or --format arguments on line 56.

Authors

• Praveen Sutar
• Ishaq Mohammed

Credits

• OWASP Dependency Check by Jeremy Long
• Shrutirupa Banerjiee & Aishwarya Iyer for reviewing

Pull Requests and comments are welcome :relaxed:

Also I know there is a maven plugin available for dependency check which can directly be injected to the project's pom.xml, but the use case for me was such that I did not have write access to the code repo and injecting the maven script for dependency check after cloning the projects and then building them was a bit time consuming.