Fork me on GitHub

Usage

The OWASP dependency-check-gradle plugin provides monitoring of the projects dependent libraries; creating a report of known vulnerable components that are included in the build.

It is important to understand that the first time this task is executed it may take 5-20 minutes as it downloads and processes the data from the National Vulnerability Database (NVD) hosted by NIST: https://nvd.nist.gov

After the first batch download, as long as the plugin is executed at least once every seven days the update will only take a few seconds.

Quick Start

Step 1, Apply dependency-check-gradle plugin

Install from Maven central repo

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'org.owasp:dependency-check-gradle:2.1.1'
    }
}

apply plugin: 'org.owasp.dependencycheck'

Step 2, Run the dependencyCheckAnalyze task

Once the dependency-check plugin is applied, if the Java plugin is being used dependency-check will automatically be added to the check task. Alternatively, you can run dependency-check directly:

gradle dependencyCheckAnalyze --info

The reports will be generated automatically under build/reports folder.

Task Configuration

The OWASP dependency-check-gradle plugin contains three tasks: dependencyCheckAnalyze, dependencyCheckUpdate, and dependencyCheckPurge. Please see each tasks configuration page for more information.

License

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE.txt file for the full license.

Dependency-Check makes use of several other open source libraries. Please see the NOTICE.txt file for more information.