Fork me on GitHub

Tasks

Task Description
dependencyCheckAnalyze Runs dependency-check against the project and generates a report.
dependencyCheckUpdate Updates the local cache of the NVD data from NIST.
dependencyCheckPurge Deletes the local copy of the NVD. This is used to force a refresh of the data.

Configuration:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'org.owasp:dependency-check-gradle:${project.version}'
    }
}
apply plugin: 'org.owasp.dependencycheck'

check.dependsOn dependencyCheckAnalyze
Property Description Default Value
autoUpdate Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. true
cveValidForHours Sets the number of hours to wait before checking for new updates from the NVD. 4
failOnError Fails the build if an error occurs during the dependency-check analysis. true
failBuildOnCVSS Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified. The default is 11; since the CVSS scores are 0-10, by default the build will never fail. 11
format The report format to be generated (HTML, XML, CSV, JSON, VULN, ALL). HTML
outputDirectory The location to write the report(s). This directory will be located in the build directory. build/reports
skipTestGroups When set to true (the default) all dependency groups that being with ‘test’ will be skipped. true
suppressionFile The file path to the XML suppression file - used to suppress false positives  
hintsFile The file path to the XML hints file - used to resolve false negatives  
skipConfigurations A list of configurations that will be skipped. This is mutually exclusive with the scanConfigurations property. [] which means no configuration is skipped.
scanConfigurations A list of configurations that will be scanned, all other configurations are skipped. This is mutually exclusive with the skipConfigurations property. [] which implicitly means all configurations get scanned.

Example

dependencyCheck {
    autoUpdate=false
    cveValidForHours=1
    format='ALL'
}

Proxy Configuration

Config Group Property Description Default Value
proxy server The proxy server; see the proxy configuration page for more information.  
proxy port The proxy port.  
proxy username Defines the proxy user name.  
proxy password Defines the proxy password.  

Example

dependencyCheck {
    proxy {
        server=some.proxy.server
        port=8989
    }
}

Advanced Configuration

The following properties can be configured in the dependencyCheck task. However, they are less frequently changed. One exception may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment. Note, if ANY of the cve configuration group are set - they should all be set to ensure things work as expected.

Config Group Property Description Default Value
cve url12Modified URL for the modified CVE 1.2. https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
cve url20Modified URL for the modified CVE 2.0. https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
cve url12Base Base URL for each year’s CVE 1.2, the %d will be replaced with the year. https://nvd.nist.gov/download/nvdcve-%d.xml.gz
cve url20Base Base URL for each year’s CVE 2.0, the %d will be replaced with the year. https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
data directory Sets the data directory to hold SQL CVEs contents. This should generally not be changed.  
data driver The name of the database driver. Example: org.h2.Driver.  
data driverPath The path to the database driver JAR file; only used if the driver is not in the class path.  
data connectionString The connection string used to connect to the database.  
data username The username used when connecting to the database.  
data password The password used when connecting to the database.  

Example

dependencyCheck {
    data {
        directory='d:/nvd'
    }
}

Analyzer Configuration

In addition to the above, the dependencyCheck plugin can be configured to enable or disable specific analyzers by configuring the analyzers section. Note, specific file type analyzers will automatically disable themselves if no file types that they support are detected - so specifically disabling the analyzers is likely not needed.

Config Group Property Description Default Value
analyzers experimentalEnabled Sets whether the experimental analyzers will be used. If not set to true the analyzers marked as experimental (see below) will not be used false
analyzers archiveEnabled Sets whether the Archive Analyzer will be used. true
analyzers zipExtensions A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.  
analyzers jarEnabled Sets whether Jar Analyzer will be used. true
analyzers centralEnabled Sets whether Central Analyzer will be used. If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below). true
analyzers nexusEnabled Sets whether Nexus Analyzer will be used (requires Nexus Pro). This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. true
analyzers nexusUrl Defines the Nexus Server’s web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled.  
analyzers nexusUsesProxy Whether or not the defined proxy should be used when connecting to Nexus. true
analyzers pyDistributionEnabled Sets whether the experimental Python Distribution Analyzer will be used. true
analyzers pyPackageEnabled Sets whether the experimental Python Package Analyzer will be used. true
analyzers rubygemsEnabled Sets whether the experimental Ruby Gemspec Analyzer will be used. true
analyzers opensslEnabled Sets whether or not the openssl Analyzer should be used. true
analyzers nuspecEnabled Sets whether or not the .NET Nuget Nuspec Analyzer will be used. true
analyzers assemblyEnabled Sets whether or not the .NET Assembly Analyzer should be used. true
analyzers pathToMono The path to Mono for .NET assembly analysis on non-windows systems.  
analyzers cmakeEnabled Sets whether or not the experimental CMake Analyzer should be used. true
analyzers autoconfEnabled Sets whether or not the experimental autoconf Analyzer should be used. true
analyzers composerEnabled Sets whether or not the experimental PHP Composer Lock File Analyzer should be used. true
analyzers nodeEnabled Sets whether or not the retired Node.js Analyzer should be used. true
analyzers nspEnabled Sets whether the NSP Analyzer should be used. true
analyzers cocoapodsEnabled Sets whether or not the experimental Cocoapods Analyzer should be used. true
analyzers swiftEnabled Sets whether or not the experimental Swift Package Manager Analyzer should be used. true
analyzers bundleAuditEnabled Sets whether or not the experimental Ruby Bundle Audit Analyzer should be used. true
analyzers pathToBundleAudit The path to bundle audit.  
analyzers retiredEnabled Sets whether the retired analyzers will be used. If not set to true the analyzers marked as experimental (see below) will not be used false

Example

dependencyCheck {
    analyzers {
        assemblyEnabled=false
    }
}