Fork me on GitHub

Usage

The OWASP dependency-check-gradle plugin provides monitoring of the projects dependent libraries; creating a report of known vulnerable components that are included in the build.

It is important to understand that the first time this task is executed it may take 5-20 minutes as it downloads and processes the data from the National Vulnerability Database (NVD) hosted by NIST: https://nvd.nist.gov

After the first batch download, as long as the plugin is executed at least once every seven days the update will only take a few seconds.

Quick Start

Step 1, Apply dependency-check-gradle plugin

Install from Maven central repo

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'org.owasp:dependency-check-gradle:10.0.4'
    }
}

apply plugin: 'org.owasp.dependencycheck'

Step 2, Run the dependencyCheckAnalyze task

You can run dependency-check by executing:

./gradlew dependencyCheckAnalyze

The reports will be generated automatically under ${buildDir}/reports folder.

Task Configuration

The OWASP dependency-check-gradle plugin contains three tasks: dependencyCheckAnalyze, dependencyCheckAggregate, dependencyCheckUpdate, and dependencyCheckPurge. Please see each tasks configuration page for more information.

More information can be found in the GitHub repository.

License

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE.txt file for the full license.

Dependency-Check makes use of several other open source libraries. Please see the NOTICE.txt file for more information.