Esta página se muestra en inglés. Una traducción al español está en curso.
ScriptsJul 18, 2026·3 min de lectura

OWASP Dependency-Check — Detect Known Vulnerabilities in Your Dependencies

OWASP Dependency-Check is a software composition analysis (SCA) tool that scans project dependencies against the National Vulnerability Database (NVD) to identify publicly disclosed vulnerabilities in third-party libraries.

Listo para agents

Instalación lista para agent

Este activo puede instalarse después de elegir el runtime, revisar el plan y ejecutar el comando correspondiente.

Native · 98/100Política: permitir
Superficie agent
Cualquier agent MCP/CLI
Tipo
Skill
Instalación
Single
Confianza
Confianza: Established
Entrada
OWASP Dependency-Check
Comando de instalación directa
npx -y tokrepo@latest install 82468050-8262-11f1-9bc6-00163e2b0d79 --target codex

Ejecutar después de confirmar el plan con dry-run.

Introduction

Dependency-Check identifies known vulnerabilities in project dependencies by correlating them with CVE entries from the National Vulnerability Database. It supports Java, .NET, JavaScript, Python, Ruby, and more, and integrates into Maven, Gradle, Ant, Jenkins, and CI pipelines as a build-time security gate.

What Dependency-Check Does

  • Scans JAR, DLL, npm, pip, and other package formats for known CVEs
  • Correlates dependencies with the NIST National Vulnerability Database (NVD)
  • Generates HTML, JSON, CSV, and XML reports with CVE details and severity scores
  • Integrates as a plugin for Maven, Gradle, Ant, SBT, and Jenkins
  • Supports suppression files to manage false positives and accepted risks

Architecture Overview

Dependency-Check uses multiple analyzers that inspect dependency metadata (file hashes, package manifests, version strings) and match them against a local mirror of the NVD CVE database. The NVD data is downloaded and cached locally on first run, then updated incrementally. Each analyzer targets a specific ecosystem: the JAR analyzer handles Java, the Assembly analyzer handles .NET, the Node.js analyzer reads package-lock.json, and so on.

Self-Hosting & Configuration

  • Download the standalone CLI or use the Maven/Gradle/Ant plugin
  • First run downloads the NVD database (may take several minutes)
  • Configure NVD API key via --nvdApiKey for faster database updates
  • Use suppression XML files to whitelist known false positives
  • Set CVSS score thresholds with --failOnCVSS to fail builds on high-severity findings

Key Features

  • Scans 10+ dependency ecosystems including Java, .NET, Node.js, Python, and Ruby
  • Offline mode with pre-downloaded NVD data for air-gapped environments
  • CVSS-based build failure thresholds to enforce security policies in CI
  • Suppression files for managing false positives across teams
  • OWASP-backed project with continuous community maintenance

Comparison with Similar Tools

  • Snyk — SaaS-based with broader fix suggestions; Dependency-Check is free and self-hosted
  • Trivy — Container-focused scanner; Dependency-Check specializes in application dependencies
  • npm audit / pip-audit — Single ecosystem; Dependency-Check covers 10+ ecosystems in one tool
  • Grype — Faster container scanning; Dependency-Check has deeper NVD correlation for app-level deps
  • Renovate / Dependabot — Focus on version updates; Dependency-Check focuses on CVE detection

FAQ

Q: How often is the vulnerability database updated? A: The NVD mirror updates incrementally each time you run a scan (with network access). You can also schedule database updates separately.

Q: Does it produce false positives? A: Occasionally, especially with common library names. Use suppression files to document accepted risks and filter known false positives.

Q: Can it run in an air-gapped environment? A: Yes. Download the NVD data bundle on a connected machine, then transfer it to the air-gapped system for offline scanning.

Q: What CI systems does it integrate with? A: It integrates with Jenkins (official plugin), GitHub Actions, GitLab CI, Azure DevOps, and any CI system that can run Maven, Gradle, or CLI commands.

Sources

Discusión

Inicia sesión para unirte a la discusión.
Aún no hay comentarios. Sé el primero en compartir tus ideas.

Activos relacionados