1[![Build Status](https://travis-ci.org/jeremylong/DependencyCheck.svg?branch=master)](https://travis-ci.org/jeremylong/DependencyCheck) [![Coverity Scan Build Status](https://scan.coverity.com/projects/1654/badge.svg)](https://scan.coverity.com/projects/dependencycheck) [![Codacy Badge](https://api.codacy.com/project/badge/Grade/6b6021d481dc41a888c5da0d9ecf9494)](https://www.codacy.com/app/jeremylong/DependencyCheck?utm_source=github.com&utm_medium=referral&utm_content=jeremylong/DependencyCheck&utm_campaign=Badge_Grade) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/843/badge)](https://bestpractices.coreinfrastructure.org/projects/843) [![Apache 2.0 License](https://img.shields.io/badge/license-Apache%202-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0.txt) 2 3[![Black Hat Arsenal](https://www.toolswatch.org/badges/arsenal/2015.svg)](https://www.toolswatch.org/2015/06/black-hat-arsenal-usa-2015-speakers-lineup/) [![Black Hat Arsenal](https://www.toolswatch.org/badges/arsenal/2014.svg)](https://www.toolswatch.org/2014/06/black-hat-usa-2014-arsenal-tools-speaker-list/) [![Black Hat Arsenal](https://www.toolswatch.org/badges/arsenal/2013.svg)](https://www.toolswatch.org/2013/06/announcement-blackhat-arsenal-usa-2013-selected-tools/) 4 5Dependency-Check 6================ 7 8Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries. 9 10Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/). Additionally, more information about the architecture and ways to extend dependency-check can be found on the [wiki]. 11 12Current Releases 13------------- 14### Jenkins Plugin 15 16For instructions on the use of the Jenkins plugin please see the [OWASP Dependency-Check Plugin page](https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin). 17 18### Command Line 19 20More detailed instructions can be found on the 21[dependency-check github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/). 22The latest CLI can be downloaded from bintray's 23[dependency-check page](https://bintray.com/jeremy-long/owasp/dependency-check). 24 25On *nix 26``` 27$ ./bin/dependency-check.sh -h 28$ ./bin/dependency-check.sh --project Testing --out . --scan [path to jar files to be scanned] 29``` 30On Windows 31``` 32> .\bin\dependency-check.bat -h 33> .\bin\dependency-check.bat --project Testing --out . --scan [path to jar files to be scanned] 34``` 35On Mac with [Homebrew](http://brew.sh) 36``` 37$ brew update && brew install dependency-check 38$ dependency-check -h 39$ dependency-check --project Testing --out . --scan [path to jar files to be scanned] 40``` 41 42### Maven Plugin 43 44More detailed instructions can be found on the [dependency-check-maven github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-maven). 45By default, the plugin is tied to the `verify` phase (i.e. `mvn verify`). Alternatively, 46one can directly invoke the plugin via `mvn org.owasp:dependency-check-maven:check`. 47 48The dependency-check plugin can be configured using the following: 49 50```xml 51<project> 52 <build> 53 <plugins> 54 ... 55 <plugin> 56 <groupId>org.owasp</groupId> 57 <artifactId>dependency-check-maven</artifactId> 58 <executions> 59 <execution> 60 <goals> 61 <goal>check</goal> 62 </goals> 63 </execution> 64 </executions> 65 </plugin> 66 ... 67 </plugins> 68 ... 69 </build> 70 ... 71</project> 72``` 73 74### Ant Task 75 76For instructions on the use of the Ant Task, please see the [dependency-check-ant github page](http://jeremylong.github.io/DependencyCheck/dependency-check-ant). 77 78Development Usage 79------------- 80The following instructions outline how to compile and use the current snapshot. While every intention is to maintain a stable snapshot it is recommended 81that the release versions listed above be used. 82 83The repository has some large files due to test resources. The team has tried to cleanup the history as much as possible. 84However, it is recommended that you perform a shallow clone to save yourself time: 85 86```bash 87git clone --depth 1 git@github.com:jeremylong/DependencyCheck.git 88``` 89 90On *nix 91``` 92$ mvn install 93$ ./dependency-check-cli/target/release/bin/dependency-check.sh -h 94$ ./dependency-check-cli/target/release/bin/dependency-check.sh --project Testing --out . --scan ./src/test/resources 95``` 96On Windows 97``` 98> mvn install 99> .\dependency-check-cli\target\release\bin\dependency-check.bat -h 100> .\dependency-check-cli\target\release\bin\dependency-check.bat --project Testing --out . --scan ./src/test/resources 101``` 102 103Then load the resulting 'dependency-check-report.html' into your favorite browser. 104 105### Docker 106 107In the following example it is assumed that the source to be checked is in the current working directory. Persistent data and report directories are used, allowing you to destroy the container after running. 108 109``` 110#!/bin/sh 111 112OWASPDC_DIRECTORY=$HOME/OWASP-Dependency-Check 113DATA_DIRECTORY="$OWASPDC_DIRECTORY/data" 114REPORT_DIRECTORY="$OWASPDC_DIRECTORY/reports" 115 116if [ ! -d "$DATA_DIRECTORY" ]; then 117 echo "Initially creating persistent directories" 118 mkdir -p "$DATA_DIRECTORY" 119 chmod -R 777 "$DATA_DIRECTORY" 120 121 mkdir -p "$REPORT_DIRECTORY" 122 chmod -R 777 "$REPORT_DIRECTORY" 123fi 124 125# Make sure we are using the latest version 126docker pull owasp/dependency-check 127 128docker run --rm \ 129 --volume $(pwd):/src \ 130 --volume "$DATA_DIRECTORY":/usr/share/dependency-check/data \ 131 --volume "$REPORT_DIRECTORY":/report \ 132 owasp/dependency-check \ 133 --scan /src \ 134 --format "ALL" \ 135 --project "My OWASP Dependency Check Project" 136 # Use suppression like this: (/src == $pwd) 137 # --suppression "/src/security/dependency-check-suppression.xml" 138 139``` 140 141 142Upgrade Notes 143------------- 144 145### Upgrading from **1.x.x** to **2.x.x** 146 147Note that when upgrading from version 1.x.x that the following changes will need to be made to your configuration. 148 149#### Suppression file 150 151In order to support multiple suppression files, the mechanism for configuring suppression files has changed. 152As such, users that have defined a suppression file in their configuration will need to update. 153 154See the examples below: 155 156##### Ant 157 158Old: 159 160```xml 161<dependency-check 162 failBuildOnCVSS="3" 163 suppressionFile="suppression.xml"> 164</dependency-check> 165``` 166 167New: 168 169```xml 170<dependency-check 171 failBuildOnCVSS="3"> 172 <suppressionFile path="suppression.xml" /> 173</dependency-check> 174``` 175 176##### Maven 177 178Old: 179 180```xml 181<plugin> 182 <groupId>org.owasp</groupId> 183 <artifactId>dependency-check-maven</artifactId> 184 <configuration> 185 <suppressionFile>suppression.xml</suppressionFile> 186 </configuration> 187</plugin> 188``` 189 190New: 191 192```xml 193<plugin> 194 <groupId>org.owasp</groupId> 195 <artifactId>dependency-check-maven</artifactId> 196 <configuration> 197 <suppressionFiles> 198 <suppressionFile>suppression.xml</suppressionFile> 199 </suppressionFiles> 200 </configuration> 201</plugin> 202``` 203 204### Gradle 205 206In addition to the changes to the suppression file, the task `dependencyCheck` has been 207renamed to `dependencyCheckAnalyze`. 208 209Old: 210 211```groovy 212buildscript { 213 repositories { 214 mavenLocal() 215 } 216 dependencies { 217 classpath 'org.owasp:dependency-check-gradle:2.0.1-SNAPSHOT' 218 } 219} 220apply plugin: 'org.owasp.dependencycheck' 221 222dependencyCheck { 223 suppressionFile='path/to/suppression.xml' 224} 225check.dependsOn dependencyCheckAnalyze 226``` 227 228New: 229```groovy 230buildscript { 231 repositories { 232 mavenLocal() 233 } 234 dependencies { 235 classpath 'org.owasp:dependency-check-gradle:2.0.1-SNAPSHOT' 236 } 237} 238apply plugin: 'org.owasp.dependencycheck' 239 240dependencyCheck { 241 suppressionFiles = ['path/to/suppression1.xml', 'path/to/suppression2.xml'] 242} 243check.dependsOn dependencyCheckAnalyze 244``` 245 246Mailing List 247------------ 248 249Subscribe: [dependency-check+subscribe@googlegroups.com] [subscribe] 250 251Post: [dependency-check@googlegroups.com] [post] 252 253Archive: [google group](https://groups.google.com/forum/#!forum/dependency-check) 254 255Copyright & License 256- 257 258Dependency-Check is Copyright (c) 2012-2017 Jeremy Long. All Rights Reserved. 259 260Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license. 261 262Dependency-Check makes use of several other open source libraries. Please see the [NOTICE.txt][notices] file for more information. 263 264 265 [wiki]: https://github.com/jeremylong/DependencyCheck/wiki 266 [subscribe]: mailto:dependency-check+subscribe@googlegroups.com 267 [post]: mailto:dependency-check@googlegroups.com 268 [notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICE.txt 269