The OWASP dependency-check-gradle plugin provides monitoring of the projects dependent libraries; creating a report of known vulnerable components that are included in the build.
It is important to understand that the first time this task is executed it may take 5-20 minutes as it downloads and processes the data from the National Vulnerability Database (NVD) hosted by NIST: https://nvd.nist.gov
After the first batch download, as long as the plugin is executed at least once every seven days the update will only take a few seconds.
Install from Maven central repo
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath 'org.owasp:dependency-check-gradle:9.0.2'
}
}
apply plugin: 'org.owasp.dependencycheck'
You can run dependency-check by executing:
./gradlew dependencyCheckAnalyze
The reports will be generated automatically under ${buildDir}/reports folder.
The OWASP dependency-check-gradle plugin contains three tasks: dependencyCheckAnalyze, dependencyCheckAggregate, dependencyCheckUpdate, and dependencyCheckPurge. Please see each tasks configuration page for more information.
More information can be found in the GitHub repository.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE.txt file for the full license.
Dependency-Check makes use of several other open source libraries. Please see the NOTICE.txt file for more information.