Dependency-Check: Open-source Software Composition Analysis (SCA) Tool

By /

Listen to this Post

Dependency-Check is an open-source Software Composition Analysis (SCA) tool designed to identify publicly disclosed vulnerabilities within a project’s dependencies. It analyzes dependencies for Common Platform Enumeration (CPE) identifiers and generates a report with links to relevant Common Vulnerabilities and Exposures (CVE) entries, helping teams address security risks.

You Should Know:

1. Installation on Linux:


<h1>Download the latest version of Dependency-Check</h1>

wget https://github.com/jeremylong/DependencyCheck/releases/download/v8.2.1/dependency-check-8.2.1-release.zip

<h1>Unzip the downloaded file</h1>

unzip dependency-check-8.2.1-release.zip

<h1>Navigate to the bin directory</h1>

cd dependency-check/bin

<h1>Run Dependency-Check on a project</h1>

./dependency-check.sh --project "My Project" --scan /path/to/your/project

2. Basic Usage:


<h1>Scan a directory containing your project</h1>

./dependency-check.sh --project "Example Project" --scan /path/to/project

<h1>Generate an HTML report</h1>

./dependency-check.sh --project "Example Project" --scan /path/to/project --format HTML

3. Integrating with Maven:

Add the following plugin to your `pom.xml`:

<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>8.2.1</version>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>

Run the check:

mvn verify

4. Windows Command:

dependency-check.bat --project "My Project" --scan C:\path\to\your\project

5. Advanced Options:

  • Suppression File: Use a suppression file to ignore false positives. 
    ./dependency-check.sh --project "My Project" --scan /path/to/project --suppression /path/to/suppression.xml
  • Custom Data Directory: Specify a custom data directory for storing the vulnerability database. 
    ./dependency-check.sh --project "My Project" --scan /path/to/project --data /path/to/data/directory

What Undercode Say:

Dependency-Check is an essential tool for modern software development, especially in environments where security is paramount. By integrating it into your CI/CD pipeline, you can ensure that vulnerabilities in dependencies are identified and addressed early in the development process. The tool’s ability to generate detailed reports and integrate with popular build systems like Maven makes it a versatile choice for teams of all sizes. For more information, visit the official Dependency-Check GitHub repository.

References:

Reported By: Mojrhm Dependency – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: