Using a Database Server
**WARNING: This discusses an advanced setup and you may run into issues.**
Out of the box dependency-check uses a local H2 database. The location of the database file is configured using the data directory configuration option (see CLI).
Some organizations may want to use a more robust centralized database. Currently, H2 in server mode, MySQL, MariaDB, PostgreSQL, Oracle, and MS SQL Server have been tested. In general, the setup is done by creating a central database, setting up a single instance of dependency-check, which can connect to the Internet, that is run in update-only mode once a day. Then the other dependency-check clients can connect, using a read-only connection, to perform the analysis. Please note that if the clients are unable to access the Internet the analysis may result in a few false negatives; see the note about Central here.
To setup a centralized database the following generalized steps can be used:
- Create the database and tables using either initialize.sql
or one of the other initialization scripts found here. Note that some of the
scripts may need to be updated to correctly create the database and/or add users.
- If you are using H2 in server mode, as of version 6.0.0, the dependency-check-core JAR file needs to be available in the H2 path due to how functions/stored procedures work in H2.
- The account that the clients will connect using must have select granted on the tables.
- Note, the clients performing the scans should run with the noupdate setting. A single instance of the dependency-check client should be setup with updates enabled and the account used during the update process will need to be granted update rights on the tables.
- Dependency-check clients running scans will need to be configured to use the central database (see the specific configuration
options for Maven, Gradle, Ant, CLI, and Jenkins):
- The connection string, database user name, and the database user's password will need to be configured.
- If the database driver is not JDBC 4 compliant and/or the driver is not already in the classpath the database driver will need to be specified using the dbDriver option
- If the driver is not already in the classpath the dbDriverPath option will need to be set.
Also, if using an external database you will need to manually upgrade the schema. See database upgrades for more information.
Examples
The following example shows how to use the Maven plugin with MariaDB:
<project>
<modelVersion>4.0.0</modelVersion>
<groupId>dummy</groupId>
<artifactId>dummy</artifactId>
<version>1.0-SNAPSHOT</version>
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>11.1.1</version>
<dependencies>
<dependency>
<groupId>org.mariadb.jdbc</groupId>
<artifactId>mariadb-java-client</artifactId>
<version>3.4.1</version>
</dependency>
</dependencies>
<configuration>
<connectionString>jdbc:mariadb://my.cvedb.host/cvedb</connectionString>
<databaseUser>depscan</databaseUser>
<databasePassword>NotReallyMyDbPassword</databasePassword>
</configuration>
<executions>
<execution>
<goals>
<goal>update-only</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
Support
As always, feel free to open an issue.