OWASP dependency-check-cli is an command line tool that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the scanned project dependencies. The tool will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.
Import the GPG key used to sign all Dependency Check releases: gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 259A55407DD6C00299E6607EFFDE55BE73A2D1ED
.
Download the dependency-check command line tool the GitHub Release and the associated GPG signature file from the GitHub Release.
Verify the cryptographic integrity of your download: gpg --verify dependency-check-9.0.2-release.zip.asc
.
Extract the zip file to a location on your computer and put the ‘bin’ directory into the
path environment variable.
$ brew install dependency-check
This puts an executable dependency-check
script in the /bin
directory of
your homebrew installation.
To scan a folder on the system you can run:
dependency-check.bat --project "My App Name" --scan "c:\java\application\lib"
dependency-check.sh --project "My App Name" --scan "/java/application/lib"
To view the command line arguments, see the arguments page, or you can run:
dependency-check.bat --help
dependency-check.sh --help
If you have built a custom dependency-check-plugin or you are using an centralized database you will likely need to add the custom plugin or database driver to the classpath of dependency-check. This can be done by creating a plugins directory at the root of dependency-check and placing the JAR files the directory.
- dependency-check
- bin
- repos
- data
- plugins