OWASP Dependency-Check identifies known vulnerabilities in third-party libraries by scanning dependency files, binary artifacts, and metadata for CVEs. It performs Software Composition Analysis using the National Vulnerability Database, vendor advisories, and ecosystem-specific security feeds. Dependency-Check prevents vulnerable open-source components from entering your application and enforces strong supply-chain security.
How OWASP Dependency-Check Works
Dependency-Check analyzes project dependency manifests and builds a list of all libraries, including transitive dependencies. It extracts metadata such as package names, versions, hashes, and CPE identifiers. Dependency-Check then maps these libraries against vulnerability databases. If a library version matches a known CVE entry, the tool produces a detailed report with severity, descriptions, and remediation guidance.
Dependency-Check supports multiple ecosystems including Java, Python, JavaScript, .NET, Ruby, PHP, and Go. It integrates with build tools, CI/CD pipelines, and local development workflows.
What Dependency-Check Detects
Known Vulnerabilities in Libraries
It identifies libraries with published CVEs, showing severity levels based on CVSS scores.
Vulnerable Transitive Dependencies
Dependencies used by your packages—even if not directly installed—are scanned.
End-of-Life Dependencies
Old or unmaintained components lacking updates or security patches are flagged.
Misidentified or Incorrect Versions
Dependency-Check warns about incomplete metadata that may cause mismatches.
Build-System Artifacts
In Java ecosystems, it scans JARs, WARs, EARs, and archived binary files.
Dependency-Check prevents outdated, compromised, or dangerous libraries from reaching production.
Supported Dependency File Types
• Maven pom.xml
• Gradle build.gradle
• Node.js package-lock.json
• Python requirements.txt
• .NET .csproj
• Ruby Gemfile.lock
• PHP composer.lock
• Go modules
Binary scanning includes .jar, .war, .dll, .exe, .so, and .zip archives.
Installing Dependency-Check
CLI Installation
Download release from OWASP site.
Extract and add to PATH.
Run help:
dependency-check --help
Docker
docker run --rm \
-v $(pwd):/src \
owasp/dependency-check \
--scan /src \
--format HTML \
--out /src/report
Docker simplifies updates and avoids local configuration issues.
Running a Basic Scan (CLI)
Scan a project directory:
dependency-check \
--scan . \
--format ALL \
--out reports/
Generated outputs include:
• HTML report
• JSON report
• XML report
• CSV report
Each report lists vulnerabilities, severity, dependency paths, and remediation options.
Interpreting Reports
Severity Levels
Critical, High, Medium, Low based on CVSS.
CVE Details
Each finding includes description, exploitability metrics, and references.
Evidence
Shows metadata used to match library to CVE.
Dependency Tree
Shows how transitive dependencies introduce risk.
Remediation Guidance
Suggests upgrading versions or replacing libraries.
Dependency-Check enables precise vulnerability tracing and fast patching.
Reducing False Positives
Use suppression files when:
• Version mapping is incorrect
• Library is patched but metadata suggests otherwise
• CVE does not affect actual usage
Create suppression file:
<?xml version="1.0"?>
<suppressions>
<suppress>
<cve>CVE-XXXX-YYYY</cve>
</suppress>
</suppressions>
Pass it during scan:
--suppression suppression.xml
Integrating Dependency-Check With Build Tools
Maven
Add plugin:
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>9.0.0</version>
</plugin>
Run:
mvn verify
Gradle
Apply plugin:
id "org.owasp.dependencycheck" version "9.0.0"
Run:
gradle dependencyCheckAnalyze
Node.js / Python
Use CLI or Docker scans in pipelines.
CI/CD Integration
GitHub Actions
- name: Dependency-Check
uses: jkroepke/dependency-check-action@v3
with:
project: "my-app"
path: "."
GitLab CI
dependency-check:
script:
- dependency-check --scan . --format JSON --out reports/
artifacts:
paths:
- reports/
Jenkins
Use Dependency-Check Plugin:
Pipeline step:
dependencyCheck additionalArguments: '--scan .'
A failed scan can block builds using quality gates.
Full-Length Practical Section
Below are extensive hands-on practical exercises for mastering Dependency-Check in real development pipelines.
Practical 1: Install and Run Your First Scan
Download CLI.
Run:
dependency-check --scan . --format HTML --out report
Open report/dependency-check-report.html to review vulnerabilities.
Practical 2: Scan Java Project With Maven
Add plugin:
<plugin>
<artifactId>dependency-check-maven</artifactId>
</plugin>
Run:
mvn verify
Review the HTML report inside target/.
Practical 3: Scan Node.js Project
Install dependencies.
Run:
dependency-check --scan . --format ALL --out reports
Trace vulnerable packages in package-lock.json.
Practical 4: Scan Python Requirements
Prepare file:
requirements.txt
Run:
dependency-check --scan . --out reports
Verify vulnerable versions and recommended upgrades.
Practical 5: Scan JAR or WAR Files
Place JARs in directory:
Run:
dependency-check --scan jars/ --format HTML --out reports
Review binary metadata results.
Practical 6: Add Suppression File
Create:
suppression.xml
Run scan with suppression:
dependency-check --scan . --suppression suppression.xml
Observe reduced false positives.
Practical 7: Automate Daily Scans With Cron
Create script:
dependency-check --scan /app --format JSON --out /app/reports
Add cron entry for nightly scanning.
Practical 8: Integrate With GitHub Actions
Workflow:
- name: Dependency-Check
uses: dependency-check/cli-action@v1
Push insecure dependency and watch pipeline fail.
Practical 9: Enforce Version Upgrades
Find vulnerable package in report.
Edit dependency file.
Upgrade version.
Re-run scan to confirm remediation.
Practical 10: Create CI Blocking Rules
Define rule:
• Fail build if any CVSS > 7.0
Run:
dependency-check --failOnCVSS 7
Test with vulnerable dependency.
Practical 11: Build Dependency Baseline File
Store latest known-good versions:
dependency-baseline.json
Compare future scans against baseline.
Practical 12: Create Pipeline Artifact Reports
CI uploads HTML, JSON, and XML reports.
Use them for audits.
Practical 13: Scan Docker Images
Export file system and scan:
docker save myimage | tar -xf -
dependency-check --scan extracted/ --out report
Review OS-level libraries.
Practical 14: Integrate With SonarQube
Export JSON report.
Use SonarQube plugin to view vulnerabilities alongside code issues.
Practical 15: Detect Dependency Confusion Risks
Scan for dependencies resolved from public registries.
Flag packages that shadow internal ones.
Practical 16: Use JUnit XML Output for CI Visualizations
Run:
dependency-check --format XML --out reports
Import into CI test results viewer.
Practical 17: Create Enterprise Suppression Policy
Store centralized suppression rules in repository:
/security/suppression/
Apply globally across projects.
Practical 18: Monitor Trends Over Time
Store JSON outputs from each scan.
Plot:
• counts of vulnerabilities
• severity levels
• dependency age
Use trends for security governance.
Practical 19: Build Multi-Module Scan
Scan subprojects:
dependency-check --scan module1 --scan module2
Compare cross-module vulnerabilities.
Practical 20: Complete Dependency-Check Architecture
Include:
• CLI
• CI/CD
• Suppression policies
• Reports
• Dashboards
• Build tool plugins
• Quality gates
• Organizational governance
Use architecture for supply-chain risk management.
Intel Dump
• OWASP Dependency-Check performs SCA to detect vulnerable libraries
• It scans manifests, lockfiles, binaries, and transitive dependencies
• Reports include CVEs, severity scores, evidence, and remediation steps
• Integrates with Maven, Gradle, Docker, GitHub, GitLab, Jenkins, and full CI/CD pipelines
• Supports suppression files to reduce false positives
• Practical tasks include installation, scanning, suppression, CI integration, binary scanning, Docker scanning, nightly automation, and building full SCA architecture