| Task | Description |
|---|---|
| dependencyCheckAnalyze | Runs dependency-check against the project and generates a report. |
| dependencyCheckAggregate | Runs dependency-check against a multi-project build and generates a report. |
| dependencyCheckUpdate | Updates the local cache of the NVD data from NIST. |
| dependencyCheckPurge | Deletes the local copy of the NVD. This is used to force a refresh of the data. |
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath 'org.owasp:dependency-check-gradle:${project.version}'
}
}
apply plugin: 'org.owasp.dependencycheck'
check.dependsOn dependencyCheckUpdate
| Property | Description | Default Value |
|---|---|---|
| cveValidForHours | Sets the number of hours to wait before checking for new updates from the NVD. | 4 |
| failOnError | Fails the build if an error occurs during the dependency-check analysis. | true |
dependencyCheck {
cveValidForHours=1
}
| Config Group | Property | Description | Default Value |
|---|---|---|---|
| proxy | server | The proxy server; see the proxy configuration page for more information. | |
| proxy | port | The proxy port. | |
| proxy | username | Defines the proxy user name. | |
| proxy | password | Defines the proxy password. | |
| proxy | nonProxyHosts | The list of hosts that do not use a proxy. |
dependencyCheck {
proxy {
server=some.proxy.server
port=8989
}
}
The following properties can be configured in the dependencyCheck task. However, they are less frequently changed. One exception may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment. Note, if ANY of the cve configuration group are set - they should all be set to ensure things work as expected.
| Config Group | Property | Description | Default Value |
|---|---|---|---|
| cve | urlModified | URL for the modified CVE JSON data feed. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz |
| cve | urlBase | Base URL for each year’s CVE JSON data feed, the %d will be replaced with the year. | https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz |
| cve | waitTime | The time in milliseconds to wait between downloads from the NVD. | 4000 |
| cve | startYear | The first year of NVD CVE data to download from the NVD. | 2002 |
| data | directory | Sets the data directory to hold SQL CVEs contents. This should generally not be changed. | |
| data | driver | The name of the database driver. Example: org.h2.Driver. | |
| data | driverPath | The path to the database driver JAR file; only used if the driver is not in the class path. | |
| data | connectionString | The connection string used to connect to the database. See using a database server. | |
| data | username | The username used when connecting to the database. | |
| data | password | The password used when connecting to the database. |
dependencyCheck {
data {
directory='d:/nvd'
}
}