OWASP dependency-check contains several file type analyzers that are used to extract identification information from the files analyzed.
| Analyzer | File Types Scanned | Analysis Method |
|---|---|---|
| Archive | Zip archive format (*.zip, *.ear, *.war, *.jar, *.sar, *.apk, *.nupkg); Tape Archive Format (*.tar); Gzip format (*.gz, *.tgz); Bzip2 format (*.bz2, *.tbz2); RPM format (*.rpm) | Extracts archive contents, then scans contents with all available analyzers. |
| Assembly | .NET Assemblies (*.exe, *.dll) | Uses GrokAssembly.exe; requires the dotnet core 6.0 runtime to be installed. |
| Jar | Java archive files (*.jar); Web application archive (*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). |
| RetireJS | JavaScript files | Analyzes JavaScript files using the RetireJS database. |
| Node.js | NPM package specification files (package.json) | Parses the package.json to gather a bill-of-materials for a Node JS project. |
| Node Audit | Uses the npm audit APIs to report on known vulnerable node.js libraries. This analyzer requires an Internet connection. | |
| Nugetconf | Nuget packages.config file | Uses XPath to parse specification XML. |
| Nuspec | Nuget package specification file (*.nuspec) | Uses XPath to parse specification XML. |
| OpenSSL | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. |
| OSS Index | Uses the OSS Index APIs to report on vulnerabilities not found in the NVD. This analyzer requires an Internet connection. | |
| Ruby bundler‑audit | Ruby Gemfile.lock files |
Executes bundle-audit and incorporates the results into the dependency-check report. |
The following analyzers can be enabled by enabling the experimental configuration option; see the documentation for the CLI, Ant, Maven, etc. for more information. These analyzers are considered experimental due to the higher false positive and false negative rates. Even though these are marked as experimental several teams have found them useful in their current state.
| Analyzer | File Types Scanned | Analysis Method |
|---|---|---|
| Autoconf | Autoconf project configuration files (configure, configure.in, configure.ac) | Regex scan for AC_INIT metadata, including in generated configuration script. |
| CMake | CMake project files (CMakeLists.txt) and scripts (*.cmake) | Regex scan for project initialization and version setting commands. |
| CocoaPods | CocoaPods .podspec files |
Extracts dependency information from specification file. |
| Composer Lock | PHP Composer Lock files (composer.lock) | Parses PHP Composer lock files for exact versions of dependencies. |
| CPAN File | Perl cpanfile Lock files (composer.lock) | Parses Perl cpanfile files for dependencies. |
| Dart | pubspec.yaml, pubspec.lock |
Extracts dependency information from specification files. |
| Go lang mod | go.mod |
Uses go mod to determine exactly which dependencies are used. |
| Go lang dep | Gopkg.lock |
Analyzes the lock file directly to parse dependency information. |
| PE Analyzer | PE DLL and EXE |
Analyzes the PE Headers to obtain dependency information. |
| Python | Python source files (*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (*.whl, *.egg, *.zip) | Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts. |
| Pip | Python Pip requirements.txt files | Regex scan of requirements.txt. |
| Ruby Gemspec | Ruby makefiles (Rakefile); Ruby Gemspec files (*.gemspec) | Regex scan Gemspec initialization blocks for metadata. |
| SWIFT | SWIFT Package Manager's Package.swift |
Extracts dependency information from swift package file. |
