> For the complete documentation index, see [llms.txt](https://www.pranaypourkar.co.in/the-programmers-guide/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.pranaypourkar.co.in/the-programmers-guide/system-design/security/security-threats-and-mitigations/owasp/dependency-check.md). # Dependency Check ## About OWASP Dependency-Check is a **software composition analysis (SCA) tool** that identifies **vulnerable dependencies** in a project by scanning its libraries and frameworks. It helps developers **detect known security vulnerabilities** in third-party dependencies using the **Common Vulnerabilities and Exposures (CVE) database**. ## What is OWASP Dependency-Check? OWASP Dependency-Check is an **open-source security tool** that analyzes dependencies used in an application and **detects known vulnerabilities** by checking against databases like: * **National Vulnerability Database (NVD)** * **GitHub Security Advisories** * **Sonatype OSS Index** * **VulnDB (commercial integration)** {% hint style="info" %} Refer to the Official Documentation for more details**:** {% endhint %} ## Why is OWASP Dependency-Check Important? * **Third-Party Libraries Are Common Attack Vectors** – Many security breaches originate from vulnerable third-party libraries (e.g., Log4Shell vulnerability in Log4j). * **Automatically Detects Known Vulnerabilities** – Scans project dependencies and matches them against public vulnerability databases. * **Prevents Supply Chain Attacks** – Ensures that your application does not include compromised or backdoored dependencies. * **Integrates with Build Pipelines** – Can be used with Maven, Gradle, Jenkins, GitHub Actions, and CI/CD pipelines. * **Compliance with Security Standards** – Helps organizations comply with ISO 27001, NIST, GDPR, and PCI-DSS security requirements. ## How OWASP Dependency-Check Works ? 1. **Extracts dependency information** – Reads dependencies from Maven (pom.xml), Gradle (build.gradle), or package managers. 2. **Matches against vulnerability databases** – Checks dependencies against NVD, OSS Index, and other sources. 3. **Generates a vulnerability report** – Lists dependencies along with CVE details, CVSS scores, and remediation suggestions. ## How to Use OWASP Dependency-Check in a Java Spring Boot (Maven) Project ? ### **Step 1: Add Dependency-Check Plugin in Maven** Modify our `pom.xml` to include the OWASP Dependency-Check plugin. ```xml org.owasp dependency-check-maven 8.4.0 check ``` This configuration allows Dependency-Check to scan dependencies automatically during the Maven build process. ### **Step 2: Run OWASP Dependency-Check in Maven** Run the following command to execute the scan ```sh mvn org.owasp:dependency-check-maven:check ``` This will analyze the project’s dependencies and generate a report in `target/dependency-check-report.html`. ### **Step 3: View the Dependency Report** After running the scan, check the generated **HTML report** at: ```sh target/dependency-check-report.html ``` This report includes: * List of vulnerable dependencies * CVE IDs (e.g., CVE-2023-1234) * CVSS Scores (severity rating of vulnerabilities) * Suggested remediation actions ## Understanding Dependency-Check Report The Dependency-Check report provides the following details:
ColumnDescription
Dependency NameThe affected library (e.g., log4j-core-2.14.1.jar).
CVE IDUnique identifier for the vulnerability (e.g., CVE-2021-44228).
CVSS ScoreSeverity rating (1-10, where 10 is critical).
Vulnerability DetailsDescription of the security risk.
Suggested FixRecommended action (e.g., update to a secure version).
## Automating Dependency-Check in CI/CD Pipelines To **fail the build** when critical vulnerabilities are found, add this configuration: ```xml 7.0 ``` * If any **vulnerability with a CVSS score ≥ 7.0** is detected, the build will fail. * This ensures **no high-risk dependency gets deployed**. {% hint style="info" %} **Use Exclusions for False Positives** – Some libraries may trigger false alarms. Use - ```xml dependency-check-suppress.xml ``` {% endhint %} ## List of alternative tools for dependency security scanning 1. **OWASP Dependency-Check** (Open-source vulnerability scanner) 2. **OWASP Dependency-Track** (SBOM monitoring and vulnerability tracking) 3. **Snyk** (Developer-focused security scanning) 4. **Sonatype Nexus IQ** (Enterprise-grade dependency scanning) 5. **JFrog Xray** (Security and compliance for artifacts) 6. **GitHub Dependabot** (Automated dependency updates) 7. **Mend Renovate** (Automated dependency updates with security insights) 8. **Black Duck** (Comprehensive open-source vulnerability scanning) 9. **FOSSA** (License compliance and security scanning) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://www.pranaypourkar.co.in/the-programmers-guide/system-design/security/security-threats-and-mitigations/owasp/dependency-check.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.