About
OWASP dependency-check-ant is an Ant Task that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the project's dependencies. The task will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.
Installation
-
Import the GPG key used to sign all Dependency Check releases:
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 259A55407DD6C00299E6607EFFDE55BE73A2D1ED
. -
Download dependency-check-ant from github here and the associated GPG signature file from the GitHub release.
-
Verify the cryptographic integrity of your download:
gpg --verify dependency-check-ant-11.1.0-release.zip.asc
. -
Unzip the archive
-
Add the taskdef to your build.xml:
<!-- Set the value to the installation directory's path --> <property name="dependency-check.home" value="C:/tools/dependency-check-ant"/> <path id="dependency-check.path"> <pathelement location="${dependency-check.home}/dependency-check-ant.jar"/> <fileset dir="${dependency-check.home}/lib"> <include name="*.jar"/> </fileset> </path> <taskdef resource="dependency-check-taskdefs.properties"> <classpath refid="dependency-check.path" /> </taskdef>
-
Use the defined taskdefs:
- dependency-check - the primary task used to check the project dependencies.
- dependency-check-purge - deletes the local copy of the NVD; this should rarely be used (if ever).
- dependency-check-update - downloads and updates the local copy of the NVD.
It is important to understand that the first time this task is executed it may take 10 minutes or more as it downloads and processes the data from the National Vulnerability Database (NVD) hosted by NIST: https://nvd.nist.gov
After the first batch download, as long as the task is executed at least once every seven days the update will only take a few seconds.