Fork me on GitHub

About

OWASP dependency-check-cli is an command line tool that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the scanned project dependencies. The tool will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.

Installation & Usage

Import the GPG key used to sign all Dependency Check releases: gpg --keyserver hkp://keys.gnupg.net --recv-keys F9514E84AE3708288374BBBE097586CFEA37F9A6. This is the same key published to bintray here. Download the dependency-check command line tool here and the associated GPG signature file from bintray here.. Verify the cryptographic integrity of your download: gpg --verify dependency-check-5.2.2-release.zip.asc. Extract the zip file to a location on your computer and put the ‘bin’ directory into the path environment variable.

Homebrew

$ brew install dependency-check

This puts an executable dependency-check script in the /bin directory of your homebrew installation.

To scan a folder on the system you can run:

Windows

dependency-check.bat --project "My App Name" --scan "c:\java\application\lib"

*nix

dependency-check.sh --project "My App Name" --scan "/java/application/lib"

To view the command line arguments, see the arguments page, or you can run:

Windows

dependency-check.bat --help

*nix

dependency-check.sh --help

Extensions and Centralized Databases

If you have built a custom dependency-check-plugin or you are using an centralized database you will likely need to add the custom plugin or database driver to the classpath of dependency-check. This can be done by creating a plugins directory at the root of dependency-check and placing the JAR files the directory.

- dependency-check
  - bin
  - repos
  - data
  - plugins