Skip to content
Jeremy Long edited this page Jul 24, 2021 · 14 revisions

This wiki is outdated but has been left here because it contains some useful information for developers wanting to get a better understanding of the internals so that they can implement new analyzers, etc.

Current user documentation can be found here: http://jeremylong.github.io/DependencyCheck


The purpose of dependency-check is to help notify developers and security professionals of the problem discussed by Jeff Williams and Arshan Dabirsiaghi in their talk at AppSec DC 2012 titled "The Unfortunate Reality of Insecure Libraries". The gist of the presentation is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the National Vulnerability Database).

Currently, dependency-check is a (java) command line tool that scans directories and files. If it contains an Analyzer that can scan a particular file type then information about the file is collected. This information is then used to identify the Common Platform Enumeration (CPE). If a CPE is identified a listing of associated Common Vulnerability and Exposure (CVE) entries are listed in a report.

Dependency-check automatically updates itself using the NVD Data Feeds hosted by NIST. NOTE: the initial download of data may take five minutes or more. If the tool is run at least once every 7 days then only a small XML file needs to be downloaded to keep the data current.

More information about dependency-check can be found here:

To use dependency-check you need to download the project from github and compile the project using Maven. Once compiled it can be run using the following commands (replacing [version] with the current version):

Display Help:

java -jar dependency-check-[version].jar -h

Scan a directory called 'lib' in an application called 'Sample' and writes the report in the current working directory:

java -jar dependency-check-[version].jar --scan "/path/to/lib" --app Sample --out .

The above command will produce a file in the current working directory called DependencyCheck-Report.html.