Fork me on GitHub

File Type Analyzers

OWASP dependency-check contains several file type analyzers that are used to extract identification information from the files analyzed.

Analyzer File Types Scanned Analysis Method
Archive Zip archive format (*.zip, *.ear, *.war, *.jar, *.sar, *.apk, *.nupkg); Tape Archive Format (*.tar); Gzip format (*.gz, *.tgz); Bzip2 format (*.bz2, *.tbz2); RPM format (*.rpm) Extracts archive contents, then scans contents with all available analyzers.
Assembly .NET Assemblies (*.exe, *.dll) Uses GrokAssembly.exe; requires the dotnet core 8.0 runtime to be installed.
Jar Java archive files (*.jar); Web application archive (*.war) Examines archive manifest metadata, and Maven Project Object Model files (pom.xml).
RetireJS JavaScript files Analyzes JavaScript files using the RetireJS database.
Node.js NPM package specification files (package.json) Parses the package.json to gather a bill-of-materials for a Node JS project.
Node Audit Uses the npm audit APIs to report on known vulnerable node.js libraries. This analyzer requires an Internet connection.
Nugetconf Nuget packages.config file Uses XPath to parse specification XML.
Nuspec Nuget package specification file (*.nuspec) Uses XPath to parse specification XML.
OpenSSL OpenSSL Version Source Header File (opensslv.h) Regex parse of the OPENSSL_VERSION_NUMBER macro definition.
OSS Index Uses the OSS Index APIs to report on vulnerabilities not found in the NVD. This analyzer requires an Internet connection.
Ruby bundler‑audit Ruby Gemfile.lock files Executes bundle-audit and incorporates the results into the dependency-check report.

Experimental Analyzers

The following analyzers can be enabled by enabling the experimental configuration option; see the documentation for the CLI, Ant, Maven, etc. for more information. These analyzers are considered experimental due to the higher false positive and false negative rates. Even though these are marked as experimental several teams have found them useful in their current state.

Analyzer File Types Scanned Analysis Method
Autoconf Autoconf project configuration files (configure,, Regex scan for AC_INIT metadata, including in generated configuration script.
CMake CMake project files (CMakeLists.txt) and scripts (*.cmake) Regex scan for project initialization and version setting commands.
CocoaPods CocoaPods .podspec files Extracts dependency information from specification file.
Carthage Carthage Cartfile.resolved files Extracts dependency information from specification file.
Composer Lock PHP Composer Lock files (composer.lock) Parses PHP Composer lock files for exact versions of dependencies.
CPAN File Perl cpanfile Lock files (composer.lock) Parses Perl cpanfile files for dependencies.
Dart pubspec.yaml, pubspec.lock Extracts dependency information from specification files.
Go lang mod go.mod Uses go mod to determine exactly which dependencies are used.
Go lang dep Gopkg.lock Analyzes the lock file directly to parse dependency information.
PE Analyzer PE DLL and EXE Analyzes the PE Headers to obtain dependency information.
Python Python source files (*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (*.whl, *.egg, *.zip) Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts.
Pip Python Pip requirements.txt files Regex scan of requirements.txt.
Ruby Gemspec Ruby makefiles (Rakefile); Ruby Gemspec files (*.gemspec) Regex scan Gemspec initialization blocks for metadata.
SWIFT SWIFT Package Manager's Package.swift Extracts dependency information from swift package file.