Fork me on GitHub

File Type Analyzers

OWASP dependency-check contains several file type analyzers that are used to extract identification information from the files analyzed.

Analyzer File Types Scanned Analysis Method
Archive Zip archive format (*.zip, *.ear, *.war, *.jar, *.sar, *.apk, *.nupkg); Tape Archive Format (*.tar); Gzip format (*.gz, *.tgz); Bzip2 format (*.bz2, *.tbz2) Extracts archive contents, then scans contents with all available analyzers.
Assembly .NET Assemblies (*.exe, *.dll) Uses GrokAssembly.exe, which requires .NET Framework or Mono runtime to be installed.
CMake CMake project files (CMakeLists.txt) and scripts (*.cmake) Regex scan for project initialization and version setting commands.
Jar Java archive files (*.jar); Web application archive (*.war) Examines archive manifest metadata, and Maven Project Object Model files (pom.xml).
RetireJS JavaScript files Analyzes JavaScript files using the RetireJS database.
Node.js NPM package specification files (package.json) Parses the package.json to gather a bill-of-materials for a Node JS project.
NPM NPM Public Advisories is used to analyze Node.js’ package-lock.json files for known vulnerable packages.
Nugetconf Nuget packages.config file Uses XPath to parse specification XML.
Nuspec Nuget package specification file (*.nuspec) Uses XPath to parse specification XML.
OpenSSL OpenSSL Version Source Header File (opensslv.h) Regex parse of the OPENSSL_VERSION_NUMBER macro definition.
Ruby bundler‑audit Ruby Gemfile.lock files Executes bundle-audit and incorporates the results into the dependency-check report.

Experimental Analyzers

The following analyzers can be enabled by enabling the experimental configuration option; see the documentation for the CLI, Ant, Maven, etc. for more information. These analyzers are considered experimental due to the higher false positive and false negative rates. Even though these are marked as experimental several teams have found them useful in their current state.

Analyzer File Types Scanned Analysis Method
Autoconf Autoconf project configuration files (configure,, Regex scan for AC_INIT metadata, including in generated configuration script.
CMake CMake project files (CMakeLists.txt) and scripts (*.cmake) Regex scan for project initialization and version setting commands.
CocoaPods CocoaPods .podspec files Extracts dependency information from specification file.
Composer Lock PHP Composer Lock files (composer.lock) Parses PHP Composer lock files for exact versions of dependencies.
Go lang mod go.mod Uses go mod to determine exactly which dependencies are used.
Go lang dep Gopkg.lock Analyzes the lock file directly to parse dependency information.
Python Python source files (*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (*.whl, *.egg, *.zip) Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts.
Ruby Gemspec Ruby makefiles (Rakefile); Ruby Gemspec files (*.gemspec) Regex scan Gemspec initialization blocks for metadata.
SWIFT SWIFT Package Manager’s Package.swift Extracts dependency information from swift package file.