About
OWASP dependency-check-cli is an command line tool that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the scanned project dependencies. The tool will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.
Installation & Usage
Import the GPG key used to sign all Dependency Check releases: gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 259A55407DD6C00299E6607EFFDE55BE73A2D1ED
.
Download the dependency-check command line tool the GitHub Release and the associated GPG signature file from the GitHub Release.
Verify the cryptographic integrity of your download: gpg --verify dependency-check-11.1.1-release.zip.asc
.
Extract the zip file to a location on your computer and put the ‘bin’ directory into the
path environment variable.
Homebrew
$ brew install dependency-check
This puts an executable dependency-check
script in the /bin
directory of
your homebrew installation.
To scan a folder on the system you can run:
Windows
dependency-check.bat --project "My App Name" --scan "c:\java\application\lib"
*nix
dependency-check.sh --project "My App Name" --scan "/java/application/lib"
To view the command line arguments, see the arguments page, or you can run:
Windows
dependency-check.bat --help
*nix
dependency-check.sh --help
Extensions and Centralized Databases
If you have built a custom dependency-check-plugin or you are using an centralized database you will likely need to add the custom plugin or database driver to the classpath of dependency-check. This can be done by creating a plugins directory at the root of dependency-check and placing the JAR files the directory.
- dependency-check
- bin
- repos
- data
- plugins