ScriptsJul 18, 2026·3 min read

OWASP Dependency-Check — Detect Known Vulnerabilities in Your Dependencies

OWASP Dependency-Check is a software composition analysis (SCA) tool that scans project dependencies against the National Vulnerability Database (NVD) to identify publicly disclosed vulnerabilities in third-party libraries.

Agent ready

Ready-to-run agent install

This asset can be installed after the agent chooses its runtime, checks the plan, and runs the matching command.

Native · 98/100Policy: allow
Agent surface
Any MCP/CLI agent
Kind
Skill
Install
Single
Trust
Trust: Established
Entrypoint
OWASP Dependency-Check
Direct install command
npx -y tokrepo@latest install 82468050-8262-11f1-9bc6-00163e2b0d79 --target codex

Run after dry-run confirms the install plan.

Introduction

Dependency-Check identifies known vulnerabilities in project dependencies by correlating them with CVE entries from the National Vulnerability Database. It supports Java, .NET, JavaScript, Python, Ruby, and more, and integrates into Maven, Gradle, Ant, Jenkins, and CI pipelines as a build-time security gate.

What Dependency-Check Does

  • Scans JAR, DLL, npm, pip, and other package formats for known CVEs
  • Correlates dependencies with the NIST National Vulnerability Database (NVD)
  • Generates HTML, JSON, CSV, and XML reports with CVE details and severity scores
  • Integrates as a plugin for Maven, Gradle, Ant, SBT, and Jenkins
  • Supports suppression files to manage false positives and accepted risks

Architecture Overview

Dependency-Check uses multiple analyzers that inspect dependency metadata (file hashes, package manifests, version strings) and match them against a local mirror of the NVD CVE database. The NVD data is downloaded and cached locally on first run, then updated incrementally. Each analyzer targets a specific ecosystem: the JAR analyzer handles Java, the Assembly analyzer handles .NET, the Node.js analyzer reads package-lock.json, and so on.

Self-Hosting & Configuration

  • Download the standalone CLI or use the Maven/Gradle/Ant plugin
  • First run downloads the NVD database (may take several minutes)
  • Configure NVD API key via --nvdApiKey for faster database updates
  • Use suppression XML files to whitelist known false positives
  • Set CVSS score thresholds with --failOnCVSS to fail builds on high-severity findings

Key Features

  • Scans 10+ dependency ecosystems including Java, .NET, Node.js, Python, and Ruby
  • Offline mode with pre-downloaded NVD data for air-gapped environments
  • CVSS-based build failure thresholds to enforce security policies in CI
  • Suppression files for managing false positives across teams
  • OWASP-backed project with continuous community maintenance

Comparison with Similar Tools

  • Snyk — SaaS-based with broader fix suggestions; Dependency-Check is free and self-hosted
  • Trivy — Container-focused scanner; Dependency-Check specializes in application dependencies
  • npm audit / pip-audit — Single ecosystem; Dependency-Check covers 10+ ecosystems in one tool
  • Grype — Faster container scanning; Dependency-Check has deeper NVD correlation for app-level deps
  • Renovate / Dependabot — Focus on version updates; Dependency-Check focuses on CVE detection

FAQ

Q: How often is the vulnerability database updated? A: The NVD mirror updates incrementally each time you run a scan (with network access). You can also schedule database updates separately.

Q: Does it produce false positives? A: Occasionally, especially with common library names. Use suppression files to document accepted risks and filter known false positives.

Q: Can it run in an air-gapped environment? A: Yes. Download the NVD data bundle on a connected machine, then transfer it to the air-gapped system for offline scanning.

Q: What CI systems does it integrate with? A: It integrates with Jenkins (official plugin), GitHub Actions, GitLab CI, Azure DevOps, and any CI system that can run Maven, Gradle, or CLI commands.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets