| |
--nvdApiKey |
<apiKey> |
The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key |
|
| |
--nvdApiEndpoint |
<endpoint> |
The NVD API endpoint URL; setting this is uncommon. |
https://services.nvd.nist.gov/rest/json/cves/2.0 |
| |
--nvdMaxRetryCount |
<count> |
The maximum number of retry requests for a single call to the NVD API. |
10 |
| |
--nvdApiDelay |
<milliseconds> |
The number of milliseconds to wait between calls to the NVD API. |
3500 with an NVD API Key or 8000 without an API Key |
| |
--nvdApiResultsPerPage |
<number> |
The number records for a single page from NVD API (must be <=2000). |
2000 |
| |
--nvdDatafeed |
<url> |
The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/Open-Vulnerability-Project/tree/main/vulnz#caching-the-nvd-cve-data - example value https://internal.server/cache/nvdcve-{0}.json.gz |
|
| |
--nvdUser |
<username> |
Credentials used for basic authentication for the NVD API Data feed. |
|
| |
--nvdPassword |
<password> |
Credentials used for basic authentication for the NVD API Data feed. |
|
| |
--nvdValidForHours |
<hours> |
The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. |
4 |
| |
--hints |
<file> |
The file path to the XML hints file - used to resolve false negatives |
|
| -P |
--propertyfile |
<file> |
Specifies a file that contains properties to use instead of application defaults. The key values used in the properties file are not the same as the arguments listed on this page; use the keys here: https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/resources/dependencycheck.properties |
|
| |
--updateonly |
|
If set only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. |
|
| |
--disableKnownExploited |
|
Sets whether the Known Exploited Vulnerability update and analyzer are enabled. |
|
| |
--kevURL |
<url> |
URL to the CISA Known Exploited Vulnerabilities JSON data feed. |
https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json |
| |
--disableFileName |
|
Disables the File Name Analyzer; in generally, this should not be disabled. |
|
| |
--disablePyDist |
|
Sets whether the experimental Python Distribution Analyzer will be used. |
|
| |
--disablePyPkg |
|
Sets whether the experimental Python Package Analyzer will be used. |
|
| |
--disableMSBuild |
|
Sets whether the MS Build Project Analyzer will be used. |
|
| |
--disableNodeJS |
|
Sets whether the Node.js Package Analyzer will be used. |
|
| |
--disableYarnAudit |
|
Sets whether the yarn Audit Analyzer will be used. This analyzer requires an internet connection and that yarn is installed. Use --nodeAuditSkipDevDependencies to skip dev dependencies. |
|
| |
--yarn |
<path> |
The path to yarn. |
|
| |
--disablePnpmAudit |
|
Sets whether the pnpm Audit Analyzer will be used. This analyzer requires an internet connection and that pnpm is installed. Use --nodeAuditSkipDevDependencies to skip dev dependencies. |
|
| |
--pnpm |
<path> |
The path to pnpm. |
|
| |
--disableNodeAudit |
|
Sets whether the Node Audit Analyzer will be used. This analyzer requires an internet connection. |
|
| |
--disableNodeAuditCache |
|
When the argument is present the Node Audit Analyzer will not cache results. By default the results are cached for 24 hours. |
|
| |
--nodeAuditSkipDevDependencies |
|
Configures the Node Audit Analyzer to skip devDependencies. |
|
| |
--nodePackageSkipDevDependencies |
|
Configures the Node Package Analyzer to skip devDependencies. |
|
| |
--disableRetireJS |
|
Sets whether the RetireJS Analyzer will be used. |
|
| |
--retireJsForceUpdate |
|
Sets whether the RetireJS Analyzer will update regardless of the noupdate argument. |
false |
| |
--retireJsUrl |
<url> |
The URL to the Retire JS repository. |
https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json |
| |
--retirejsFilter |
<pattern> |
The RetireJS Analyzers content filter used to exclude JS files when the content contains the given regular expression; this option can be specified multiple times. |
|
| |
--retirejsFilterNonVulnerable |
|
Specifies that the Retire JS Analyzer should filter out non-vulnerable JS files from the report. |
|
| |
--retirejsUser |
<username> |
Credentials used for basic authentication for the RetireJS data. |
|
| |
--retirejsPassword |
<password> |
Credentials used for basic authentication for the RetireJS data. |
|
| |
--disableRubygems |
|
Sets whether the experimental Ruby Gemspec Analyzer will be used. |
|
| |
--disableBundleAudit |
|
Sets whether the experimental Ruby Bundler Audit Analyzer will be used. |
|
| |
--disableCocoapodsAnalyzer |
|
Sets whether the experimental Cocoapods Analyzer will be used. |
|
| |
--disableCarthageAnalyzer |
|
Sets whether the experimental Carthage Analyzer will be used. |
|
| |
--disableSwiftPackageManagerAnalyzer |
|
Sets whether the experimental Swift Package Manager Analyzer will be used. |
|
| |
--disableSwiftPackageResolvedAnalyzer |
|
Sets whether the experimental Swift Package Resolved Analyzer will be used. |
|
| |
--disableAutoconf |
|
Sets whether the experimental Autoconf Analyzer will be used. |
|
| |
--disableOpenSSL |
|
Sets whether the OpenSSL Analyzer will be used. |
|
| |
--disableCmake |
|
Sets whether the experimental Cmake Analyzer will be disabled. |
|
| |
--disableArchive |
|
Sets whether the Archive Analyzer will be disabled. |
|
| |
--zipExtensions |
<strings> |
A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |
|
| |
--disableJar |
|
Sets whether the Jar Analyzer will be disabled. |
|
| |
--disableComposer |
|
Sets whether the experimental PHP Composer Lock File Analyzer will be disabled. |
|
| |
--composerSkipDev |
|
Sets whether the experimental PHP Composer Lock File Analyzer should skip “packages-dev”. |
|
| |
--disableCpan |
|
Sets whether the experimental Perl CPAN File Analyzer will be disabled. |
|
| |
--disableDart |
|
Sets whether the experimental Dart Analyzer will be disabled. |
|
| |
--disableOssIndex |
|
Sets whether the OSS Index Analyzer will be disabled. This analyzer requires an internet connection. |
|
| |
--disableOssIndexCache |
|
When the argument is present the OSS Index Analyzer will not cache results. By default results are cached for 24 hours. |
|
| |
--ossIndexUsername |
<username> |
The optional username to connect to Sonatype's OSS Index. |
|
| |
--ossIndexPassword |
<password> |
The optional password to connect to Sonatype's OSS Index. |
|
| |
--ossIndexRemoteErrorWarnOnly |
<true|false> |
Whether we should only warn about Sonatype OSS Index remote errors instead of failing completely. |
|
| |
--ossIndexUrl |
<url> |
Alternative URL for the OSS Index. If not set the public Sonatype OSS Index will be used. |
https://ossindex.sonatype.org |
| |
--disableCentral |
|
Sets whether the Central Analyzer will be used. Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly). If this analyzer is being disabled there is a good chance you also want to disable the Artifactory or Nexus Analyzer. |
|
| |
--disableCentralCache |
|
When the argument is present the Central Analyzer will not cache results locally. By default results are cached locally for 30 days. |
|
| |
--centralUrl |
|
Alternative URL for Maven Central Search. If not set the public Sonatype Maven Central will be used. |
https://search.maven.org/solrsearch/select |
| |
--centralUsername |
|
The username to authenticate to the alternative Maven Central url set by the ‘centralUrl’ argument. If not set it will use an unauthenticated connection. |
|
| |
--centralPassword |
|
The password to authenticate to the alternative Maven Central url set by the ‘centralUrl’ argument. If not set it will use an unauthenticated connection. |
|
| |
--enableNexus |
|
Sets whether the Nexus Analyzer will be used (requires Nexus v2 or Pro v3). You can configure the Nexus URL to utilize an internally hosted Nexus server. |
|
| |
--enableArtifactory |
|
Sets whether Artifactory analyzer will be used |
|
| |
--artifactoryUrl |
<url> |
The Artifactory server URL. |
|
| |
--artifactoryUseProxy |
<true|false> |
Whether Artifactory should be accessed through a proxy or not. |
false |
| |
--artifactoryParallelAnalysis |
<true|false> |
Whether the Artifactory analyzer should be run in parallel or not |
true |
| |
--artifactoryUsername |
<username> |
The user name (only used with API token) to connect to Artifactory instance |
|
| |
--artifactoryApiToken |
<token> |
The API token to connect to Artifactory instance, only used if the username or the API key are not defined by artifactoryAnalyzerServerId, artifactoryAnalyzerUsername or artifactoryAnalyzerApiToken. |
|
| |
--artifactoryBearerToken |
<token> |
The bearer token to connect to Artifactory instance |
|
| |
--nexus |
<url> |
The url to the Nexus Server's web service end point (example: http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled. |
|
| |
--nexusUser |
<username> |
The username to authenticate to the Nexus Server's REST API Endpoint. If not set the Nexus Analyzer will use an unauthenticated connection. |
|
| |
--nexusPass |
<password> |
The password to authenticate to the Nexus Server's REST API Endpoint. If not set the Nexus Analyzer will use an unauthenticated connection. |
|
| |
--nexusUsesProxy |
<true|false> |
Whether or not the defined proxy should be used when connecting to Nexus. |
true |
| |
--disableNuspec |
|
Sets whether the .NET Nuget Nuspec Analyzer will be used. |
|
| |
--disableNugetconf |
|
Sets whether the experimental .NET Nuget packages.config Analyzer will be used. |
|
| |
--disableAssembly |
|
Sets whether the .NET Assembly Analyzer should be used. |
|
| |
--dotnet |
<path> |
The path to dotnet core for .NET Assembly analysis on non-windows systems. |
|
| |
--disableGolangDep |
|
Sets whether the experimental Go Dependency Analyzer should be used. |
|
| |
--disableGolangMod |
|
Sets whether the experimental Go Mod Analyzer should be used. |
|
| |
--disableMixAudit |
|
Sets whether the experimental Elixir mix audit Analyze should be used. |
|
| |
--disablePoetry |
|
Sets whether the experimental Poetry Analyzer should be used. |
|
| |
--disableVersionCheck |
|
Sets whether dependency-check should check if a new version is available. |
|
| |
--go |
<path> |
The path to go executable for the Go Mode Analyzer; only necessary if go is not on the path. |
|
| |
--bundleAudit |
|
The path to the bundle-audit executable. |
|
| |
--bundleAuditWorkingDirectory |
<path> |
The path to working directory that the bundle-audit command should be executed from when doing Gem bundle analysis. |
|
| |
--proxyserver |
<server> |
The proxy server to use when downloading resources; see the proxy configuration page for more information. |
|
| |
--proxyport |
<port> |
The proxy port to use when downloading resources. |
|
| |
--nonProxyHosts |
<list> |
The proxy exclusion list: hostnames (or patterns) for which proxy should not be used. Use pipe, comma or colon as list separator. Example: something.com |*.something.com|www.somethingelse.* |
|
| -c |
--connectiontimeout |
<timeout> |
The connection timeout (in milliseconds) to use when downloading resources. |
10000 |
| |
--readtimeout |
<timeout> |
The read timeout (in milliseconds) to use when downloading resources. |
60000 |
| |
--proxypass |
<pass> |
The proxy password to use when downloading resources. |
|
| |
--proxyuser |
<user> |
The proxy username to use when downloading resources. |
|
| |
--connectionString |
<connStr> |
The connection string to the database. See using a database server. |
|
| |
--dbDriverName |
<driver> |
The database driver full classname; note, only needs to be set if the driver is not JDBC4 compliant or the JAR is outside of the class path. |
|
| |
--dbDriverPath |
<path> |
The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. |
|
| |
--dbPassword |
<password> |
The password for connecting to the database. |
|
| |
--dbUser |
<user> |
The username used to connect to the database. |
|
| -d |
--data |
<path> |
The location of the data directory used to store persistent data. |
/usr/local/var/dependencycheck if installed through brew (→ formula). Otherwise, the data directory is created inside the install directory i.e. as a sibling to the <install-dir>/bin, <install-dir>/lib directories. |
| |
--purge |
|
Delete the local copy of the NVD. This is used to force a refresh of the data. |
|
| |
--disableHostedSuppressions |
|
Whether the usage of the hosted suppressions file will be disabled. |
false |
| |
--hostedSuppressionsForceUpdate |
|
Whether the hosted suppressions file will update regardless of the noupdate argument. |
false |
| |
--hostedSuppressionsValidForHours |
<hours> |
The number of hours to wait before checking for new updates of the hosted suppressions file |
2 |
| |
--hostedSuppressionsUrl |
<url> |
The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments |
https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml |
