Fork me on GitHub

Using a Database Server

WARNING: This discusses an advanced setup and you may run into issues.

Out of the box dependency-check uses a local H2 database. The location of the database file is configured using the data directory configuration option (see CLI).

Some organizations may want to use a more robust centralized database. Currently, H2 in server mode, MySQL, MariaDB, PostgreSQL, Oracle, and MS SQL Server have been tested. In general, the setup is done by creating a central database, setting up a single instance of dependency-check, which can connect to the Internet, that is run in update-only mode once a day. Then the other dependency-check clients can connect, using a read-only connection, to perform the analysis. Please note that if the clients are unable to access the Internet the analysis may result in a few false negatives; see the note about Central here.

To setup a centralized database the following generalized steps can be used:

  1. Create the database and tables using either initialize.sql or one of the other initialization scripts found here. Note that some of the scripts may need to be updated to correctly create the database and/or add users.
    • If you are using H2 in server mode, as of version 6.0.0, the dependency-check-core JAR file needs to be available in the H2 path due to how functions/stored procedures work in H2.
  2. The account that the clients will connect using must have select granted on the tables.
    • Note, the clients performing the scans should run with the noupdate setting. A single instance of the dependency-check client should be setup with updates enabled and the account used during the update process will need to be granted update rights on the tables.
  3. Dependency-check clients running scans will need to be configured to use the central database:
    • The database driver will need to be specified using the dbDriver and if the driver is not already in the classpath the dbDriverPath options will need to be set (see the specific configuration options for Maven, Gradle, Ant, CLI, and Jenkins).
    • The connection string, database user name, and the database user's password will also need to be configured.
Depending on the database being used, you may need to customize the dbStatements.properties. Alternatively to modifying the dbStatements.properties it is possible to use a dialect file to support other databases. See dbStatements_h2.properties as an example.

Also, if using an external database you will need to manually upgrade the schema. See database upgrades for more information.

Examples

The following example shows how to use the Maven plugin with MariaDB:

<project>
    <modelVersion>4.0.0</modelVersion>
    <groupId>dummy</groupId>
    <artifactId>dummy</artifactId>
    <version>1.0-SNAPSHOT</version>
    <build>
        <plugins>
            <plugin>
                <groupId>org.owasp</groupId>
                <artifactId>dependency-check-maven</artifactId>
                <version>6.5.0</version>
                <dependencies>
                    <dependency>
                        <groupId>org.mariadb.jdbc</groupId>
                        <artifactId>mariadb-java-client</artifactId>
                        <version>1.4.6</version>
                    </dependency>
                </dependencies>
                <configuration>
                    <databaseDriverName>org.mariadb.jdbc.Driver</databaseDriverName>
                    <connectionString>jdbc:mariadb://my.cvedb.host/cvedb</connectionString>
                    <databaseUser>depscan</databaseUser>
                    <databasePassword>NotReallyMyDbPassword</databasePassword>
                </configuration>
                <executions>
                    <execution>
                        <goals>
                            <goal>update-only</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
</project>

Support

As always, feel free to open an issue.