Fork me on GitHub


OWASP dependency-check-ant is an Ant Task that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the project's dependencies. The task will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.


  1. Import the GPG key used to sign all Dependency Check releases: gpg --keyserver hkp:// --recv-keys 259A55407DD6C00299E6607EFFDE55BE73A2D1ED.

  2. Download dependency-check-ant from github here and the associated GPG signature file from the GitHub release.

  3. Verify the cryptographic integrity of your download: gpg --verify

  4. Unzip the archive

  5. Add the taskdef to your build.xml:

    <!-- Set the value to the installation directory's path -->
    <property name="dependency-check.home" value="C:/tools/dependency-check-ant"/>
    <path id="dependency-check.path">
       <pathelement location="${dependency-check.home}/dependency-check-ant.jar"/>
        <fileset dir="${dependency-check.home}/lib">
            <include name="*.jar"/>
    <taskdef resource="">
       <classpath refid="dependency-check.path" />
  6. Use the defined taskdefs:

It is important to understand that the first time this task is executed it may take 10 minutes or more as it downloads and processes the data from the National Vulnerability Database (NVD) hosted by NIST:

After the first batch download, as long as the task is executed at least once every seven days the update will only take a few seconds.