Fork me on GitHub


Dependency-check is an open source solution the OWASP Top 10 2013 entry: A9 - Using Components with Known Vulnerabilities. Dependency-check can currently be used to scan Java applications (and their dependent libraries) to identify known vulnerable components.

The problem with using known vulnerable components was covered in a paper by Jeff Williams and Arshan Dabirsiaghi titled, “The Unfortunate Reality of Insecure Libraries” (registration required). The gist of the paper is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the National Vulnerability Database).

More information about dependency-check can be found here:

IMPORTANT NOTE: Dependency-check automatically updates itself using the NVD Data Feeds hosted by NIST. The initial download of the data may take fifteen minutes or more, if you run the tool at least once every seven days only a small XML file needs to be downloaded to keep the local copy of the data current.

Dependency-check’s core analysis library is exposed in various forms: