Introduction
Dependency-Check identifies known vulnerabilities in project dependencies by correlating them with CVE entries from the National Vulnerability Database. It supports Java, .NET, JavaScript, Python, Ruby, and more, and integrates into Maven, Gradle, Ant, Jenkins, and CI pipelines as a build-time security gate.
What Dependency-Check Does
- Scans JAR, DLL, npm, pip, and other package formats for known CVEs
- Correlates dependencies with the NIST National Vulnerability Database (NVD)
- Generates HTML, JSON, CSV, and XML reports with CVE details and severity scores
- Integrates as a plugin for Maven, Gradle, Ant, SBT, and Jenkins
- Supports suppression files to manage false positives and accepted risks
Architecture Overview
Dependency-Check uses multiple analyzers that inspect dependency metadata (file hashes, package manifests, version strings) and match them against a local mirror of the NVD CVE database. The NVD data is downloaded and cached locally on first run, then updated incrementally. Each analyzer targets a specific ecosystem: the JAR analyzer handles Java, the Assembly analyzer handles .NET, the Node.js analyzer reads package-lock.json, and so on.
Self-Hosting & Configuration
- Download the standalone CLI or use the Maven/Gradle/Ant plugin
- First run downloads the NVD database (may take several minutes)
- Configure NVD API key via
--nvdApiKeyfor faster database updates - Use suppression XML files to whitelist known false positives
- Set CVSS score thresholds with
--failOnCVSSto fail builds on high-severity findings
Key Features
- Scans 10+ dependency ecosystems including Java, .NET, Node.js, Python, and Ruby
- Offline mode with pre-downloaded NVD data for air-gapped environments
- CVSS-based build failure thresholds to enforce security policies in CI
- Suppression files for managing false positives across teams
- OWASP-backed project with continuous community maintenance
Comparison with Similar Tools
- Snyk — SaaS-based with broader fix suggestions; Dependency-Check is free and self-hosted
- Trivy — Container-focused scanner; Dependency-Check specializes in application dependencies
- npm audit / pip-audit — Single ecosystem; Dependency-Check covers 10+ ecosystems in one tool
- Grype — Faster container scanning; Dependency-Check has deeper NVD correlation for app-level deps
- Renovate / Dependabot — Focus on version updates; Dependency-Check focuses on CVE detection
FAQ
Q: How often is the vulnerability database updated? A: The NVD mirror updates incrementally each time you run a scan (with network access). You can also schedule database updates separately.
Q: Does it produce false positives? A: Occasionally, especially with common library names. Use suppression files to document accepted risks and filter known false positives.
Q: Can it run in an air-gapped environment? A: Yes. Download the NVD data bundle on a connected machine, then transfer it to the air-gapped system for offline scanning.
Q: What CI systems does it integrate with? A: It integrates with Jenkins (official plugin), GitHub Actions, GitLab CI, Azure DevOps, and any CI system that can run Maven, Gradle, or CLI commands.