The OWASP dependency-check-gradle plugin provides monitoring of the projects dependent libraries; creating a report of known vulnerable components that are included in the build.
It is important to understand that the first time this task is executed it may take 5-20 minutes as it downloads and processes the data from the National Vulnerability Database (NVD) hosted by NIST: https://nvd.nist.gov
After the first batch download, as long as the plugin is executed at least once every seven days the update will only take a few seconds.
Install from Maven central repo
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath 'org.owasp:dependency-check-gradle:2.1.1'
}
}
apply plugin: 'org.owasp.dependencycheck'
Once the dependency-check plugin is applied, if the Java plugin is being used dependency-check will automatically be added to the check task. Alternatively, you can run dependency-check directly:
gradle dependencyCheckAnalyze --info
The reports will be generated automatically under build/reports folder.
The OWASP dependency-check-gradle plugin contains three tasks: dependencyCheckAnalyze, dependencyCheckUpdate, and dependencyCheckPurge. Please see each tasks configuration page for more information.
Subscribe: dependency-check+subscribe@googlegroups.com
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE.txt file for the full license.
Dependency-Check makes use of several other open source libraries. Please see the NOTICE.txt file for more information.