Fork me on GitHub

dependency-check:aggregate

Note:This goal should be used as a Maven report.

Full name:

org.owasp:dependency-check-maven:8.2.1:aggregate

Description:

Maven Plugin that checks project dependencies and the dependencies of all child modules to see if they have any known published vulnerabilities.

Attributes:

  • Requires a Maven project to be executed.
  • Executes as an aggregator goal.
  • Requires dependency resolution of artifacts in scope: compile+runtime.
  • The goal is thread-safe and supports parallel builds.
  • Binds by default to the lifecycle phase: verify.
  • Requires that Maven runs in online mode.

Required Parameters

Name Type Since Description
<failBuildOnAnyVulnerability> boolean - Deprecated. Fail the build if any dependency has a vulnerability listed.
Default value is: false.
User property is: failBuildOnAnyVulnerability.
<failBuildOnCVSS> float - Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail.
Default value is: 11.
User property is: failBuildOnCVSS.
<failOnError> boolean - Sets whether or not the mojo should fail if an error occurs.
Default value is: true.
User property is: failOnError.
<format> String - The report format to be generated (HTML, XML, JUNIT, CSV, JSON, SARIF, JENKINS, ALL). Multiple formats can be selected using a comma delineated list.
Default value is: HTML.
User property is: format.
<formats> String[] - The report format to be generated (HTML, XML, JUNIT, CSV, JSON, SARIF, JENKINS, ALL). Multiple formats can be selected using a comma delineated list.
User property is: formats.
<junitFailOnCVSS> float - Specifies the CVSS score that is considered a "test" failure when generating a jUnit style report. The default value is 0 - all vulnerabilities are considered a failure.
Default value is: 0.
User property is: junitFailOnCVSS.
<name> String - The name of the report in the site.
Default value is: dependency-check:aggregate.
User property is: name.
<outputDirectory> File - The output directory. This generally maps to "target".
Default value is: ${project.build.directory}.
User property is: odc.outputDirectory.

Optional Parameters

Name Type Since Description
<archiveAnalyzerEnabled> Boolean - Whether or not the Archive Analyzer is enabled.
User property is: archiveAnalyzerEnabled.
<artifactoryAnalyzerApiToken> String - The API token to connect to Artifactory instance
User property is: artifactoryAnalyzerApiToken.
<artifactoryAnalyzerBearerToken> String - The bearer token to connect to Artifactory instance
User property is: artifactoryAnalyzerBearerToken.
<artifactoryAnalyzerEnabled> Boolean - Whether or not the Artifactory Analyzer is enabled.
User property is: artifactoryAnalyzerEnabled.
<artifactoryAnalyzerParallelAnalysis> Boolean - Whether the Artifactory analyzer should be run in parallel or not.
Default value is: true.
User property is: artifactoryAnalyzerParallelAnalysis.
<artifactoryAnalyzerServerId> String - The serverId inside the settings.xml containing the username and token to access artifactory
User property is: artifactoryAnalyzerServerId.
<artifactoryAnalyzerUrl> String - The Artifactory URL for the Artifactory analyzer.
User property is: artifactoryAnalyzerUrl.
<artifactoryAnalyzerUseProxy> Boolean - Whether Artifactory should be accessed through a proxy or not
User property is: artifactoryAnalyzerUseProxy.
<artifactoryAnalyzerUsername> String - The username (only used with API token) to connect to Artifactory instance
User property is: artifactoryAnalyzerUsername.
<assemblyAnalyzerEnabled> Boolean - Whether or not the .NET Assembly Analyzer is enabled.
User property is: assemblyAnalyzerEnabled.
<autoconfAnalyzerEnabled> Boolean - Sets whether or not the autoconf Analyzer should be used.
User property is: autoconfAnalyzerEnabled.
<autoUpdate> Boolean - Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. Default is true.
User property is: autoUpdate.
<bundleAuditAnalyzerEnabled> Boolean - Whether or not the Ruby Bundle Audit Analyzer is enabled.
User property is: bundleAuditAnalyzerEnabled.
<bundleAuditPath> String - Sets the path for the bundle-audit binary.
User property is: bundleAuditPath.
<bundleAuditWorkingDirectory> String - Sets the path for the working directory that the bundle-audit binary should be executed from.
User property is: bundleAuditWorkingDirectory.
<centralAnalyzerEnabled> Boolean - Whether or not the Central Analyzer is enabled.
User property is: centralAnalyzerEnabled.
<centralAnalyzerUseCache> Boolean - Whether or not the Central Analyzer should use a local cache.
User property is: centralAnalyzerUseCache.
<cmakeAnalyzerEnabled> Boolean - Sets whether or not the CMake Analyzer should be used.
User property is: cmakeAnalyzerEnabled.
<cocoapodsAnalyzerEnabled> Boolean - Whether or not the CocoaPods Analyzer is enabled.
User property is: cocoapodsAnalyzerEnabled.
<composerAnalyzerEnabled> Boolean - Sets whether or not the PHP Composer Lock File Analyzer should be used.
User property is: composerAnalyzerEnabled.
<connectionString> String - The database connection string.
User property is: connectionString.
<connectionTimeout> String - The Connection Timeout.
User property is: connectionTimeout.
<cpanfileAnalyzerEnabled> Boolean - Whether or not the Perl CPAN File Analyzer is enabled.
User property is: cpanfileAnalyzerEnabled.
<cvePassword> String - The password to authenticate to the CVE-URL.
User property is: cvePassword.
<cveServerId> String - The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml for cve-URLs.
User property is: cveServerId.
<cveStartYear> Integer - Specify the first year of NVD CVE data to download; default is 2002.
User property is: cveStartYear.
<cveUrlBase> String - Base Data Mirror URL for CVE 1.2.
User property is: cveUrlBase.
<cveUrlModified> String - Data Mirror URL for CVE 1.2.
User property is: cveUrlModified.
<cveUser> String - The username to use when connecting to the CVE-URL.
User property is: cveUser.
<cveValidForHours> Integer - Optionally skip excessive CVE update checks for a designated duration in hours.
User property is: cveValidForHours.
<cveWaitTime> String - The wait timeout between downloading from the NVD.
User property is: cveWaitTime.
<dartAnalyzerEnabled> Boolean - Sets whether the Dart analyzer is enabled. Default is true.
User property is: dartAnalyzerEnabled.
<databaseDriverName> String - The database driver name. An example would be org.h2.Driver.
User property is: databaseDriverName.
<databaseDriverPath> String - The path to the database driver if it is not on the class path.
User property is: databaseDriverPath.
<databasePassword> String - The password to use when connecting to the database.
User property is: databasePassword.
<databaseUser> String - The database user name.
User property is: databaseUser.
<dataDirectory> String - The data directory, hold DC SQL DB.
User property is: dataDirectory.
<dbFilename> String - The name of the DC DB.
User property is: dbFilename.
<enableExperimental> Boolean - Sets whether Experimental analyzers are enabled. Default is false.
User property is: enableExperimental.
<enableRetired> Boolean - Sets whether retired analyzers are enabled. Default is false.
User property is: enableRetired.
<excludes> List<String> - The list of artifacts (and their transitive dependencies) to exclude from the check.
User property is: odc.excludes.
<golangDepEnabled> Boolean - Sets whether the Golang Dependency analyzer is enabled. Default is true.
User property is: golangDepEnabled.
<golangModEnabled> Boolean - Sets whether Golang Module Analyzer is enabled; this requires `go` to be installed. Default is true.
User property is: golangModEnabled.
<hintsFile> String - The path to the hints file.
User property is: hintsFile.
<hostedSuppressionsEnabled> Boolean - Whether the hosted suppressions file will be used.
User property is: hostedSuppressionsEnabled.
<hostedSuppressionsForceUpdate> Boolean - Whether the hosted suppressions file will be updated regardless of the `autoupdate` settings.
User property is: hostedSuppressionsForceUpdate.
<hostedSuppressionsUrl> String - The hosted suppressions file URL.
User property is: hostedSuppressionsUrl.
<hostedSuppressionsValidForHours> Integer - Skip excessive hosted suppression file update checks for a designated duration in hours (defaults to 2 hours).
User property is: hostedSuppressionsValidForHours.
<jarAnalyzerEnabled> Boolean - Whether or not the Jar Analyzer is enabled.
User property is: jarAnalyzerEnabled.
<knownExploitedEnabled> Boolean - Whether or not the Known Exploited Vulnerability Analyzer is enabled.
User property is: knownExploitedEnabled.
<knownExploitedUrl> String - The URL to the CISA Known Exploited Vulnerabilities JSON datafeed.
User property is: knownExploitedUrl.
<mavenInstallAnalyzerEnabled> Boolean - Sets whether or not the Maven install Analyzer should be used.
User property is: mavenInstallAnalyzerEnabled.
<mavenSettings> Settings - The Maven settings.
Default value is: ${settings}.
User property is: mavenSettings.
<mavenSettingsProxyId> String - The maven settings proxy id.
User property is: mavenSettingsProxyId.
<mixAuditAnalyzerEnabled> Boolean - Whether or not the Elixir Mix Audit Analyzer is enabled.
User property is: mixAuditAnalyzerEnabled.
<mixAuditPath> String - Sets the path for the mix_audit binary.
User property is: mixAuditPath.
<msbuildAnalyzerEnabled> Boolean - Whether or not the MS Build Analyzer is enabled.
User property is: msbuildAnalyzerEnabled.
<nexusAnalyzerEnabled> Boolean - Whether or not the Nexus Analyzer is enabled.
User property is: nexusAnalyzerEnabled.
<nexusServerId> String - The id of a server defined in the settings.xml that configures the credentials (username and password) for a Nexus server's REST API end point. When not specified the communication with the Nexus server's REST API will be unauthenticated.
User property is: nexusServerId.
<nexusUrl> String - The URL of a Nexus server's REST API end point (http://domain/nexus/service/local).
User property is: nexusUrl.
<nexusUsesProxy> Boolean - Whether or not the configured proxy is used to connect to Nexus.
User property is: nexusUsesProxy.
<nodeAnalyzerEnabled> Boolean - Sets whether or not the Node.js Analyzer should be used.
User property is: nodeAnalyzerEnabled.
<nodeAuditAnalyzerEnabled> Boolean - Sets whether or not the Node Audit Analyzer should be used.
User property is: nodeAuditAnalyzerEnabled.
<nodeAuditAnalyzerUrl> String - The Node Audit API URL for the Node Audit Analyzer.
User property is: nodeAuditAnalyzerUrl.
<nodeAuditAnalyzerUseCache> Boolean - Sets whether or not the Node Audit Analyzer should use a local cache.
User property is: nodeAuditAnalyzerUseCache.
<nodeAuditSkipDevDependencies> Boolean - Sets whether or not the Node Audit Analyzer should skip devDependencies.
User property is: nodeAuditSkipDevDependencies.
<nodePackageSkipDevDependencies> Boolean - Sets whether or not the Node.js Analyzer should skip devDependencies.
User property is: nodePackageSkipDevDependencies.
<nugetconfAnalyzerEnabled> Boolean - Whether or not the .NET packages.config Analyzer is enabled.
User property is: nugetconfAnalyzerEnabled.
<nuspecAnalyzerEnabled> Boolean - Whether or not the .NET Nuspec Analyzer is enabled.
User property is: nuspecAnalyzerEnabled.
<opensslAnalyzerEnabled> Boolean - Sets whether or not the openssl Analyzer should be used.
User property is: opensslAnalyzerEnabled.
<ossindexAnalyzerEnabled> Boolean - Whether or not the Sonatype OSS Index analyzer is enabled.
User property is: ossindexAnalyzerEnabled.
<ossindexAnalyzerUrl> String - URL of the Sonatype OSS Index service.
User property is: ossindexAnalyzerUrl.
<ossindexAnalyzerUseCache> Boolean - Whether or not the Sonatype OSS Index analyzer should cache results.
User property is: ossindexAnalyzerUseCache.
<ossIndexServerId> String - The id of a server defined in the settings.xml that configures the credentials (username and password) for a OSS Index service.
User property is: ossIndexServerId.
<ossIndexWarnOnlyOnRemoteErrors> Boolean - Whether we should only warn about Sonatype OSS Index remote errors instead of failing the goal completely.
User property is: ossIndexWarnOnlyOnRemoteErrors.
<pathToCore> String - The path to dotnet core.
User property is: pathToCore.
<pathToGo> String - Sets the path to `go`.
User property is: pathToGo.
<pathToPnpm> String - Sets the path to `pnpm`.
User property is: pathToPnpm.
<pathToYarn> String - Sets the path to `yarn`.
User property is: pathToYarn.
<pipAnalyzerEnabled> Boolean - Sets whether or not the pip Analyzer should be used.
User property is: pipAnalyzerEnabled.
<pipfileAnalyzerEnabled> Boolean - Sets whether or not the pipfile Analyzer should be used.
User property is: pipfileAnalyzerEnabled.
<pnpmAuditAnalyzerEnabled> Boolean - Sets whether or not the Pnpm Audit Analyzer should be used.
User property is: pnpmAuditAnalyzerEnabled.
<poetryAnalyzerEnabled> Boolean - Sets whether or not the poetry Analyzer should be used.
User property is: poetryAnalyzerEnabled.
<prettyPrint> Boolean - Whether or not the XML and JSON report formats should be pretty printed. The default is false.
User property is: prettyPrint.
<pyDistributionAnalyzerEnabled> Boolean - Sets whether the Python Distribution Analyzer will be used.
User property is: pyDistributionAnalyzerEnabled.
<pyPackageAnalyzerEnabled> Boolean - Sets whether the Python Package Analyzer will be used.
User property is: pyPackageAnalyzerEnabled.
<readTimeout> String - The Read Timeout.
User property is: readTimeout.
<retirejs> Retirejs - The RetireJS Analyzer configuration:
  filters: an array of filter patterns that are used to exclude JS files that contain a match
  filterNonVulnerable: a boolean that when true will remove non-vulnerable JS from the report

Example:
  <retirejs>
    <filters>
      <filter>copyright 2018\(c\) Jeremy Long</filter>
    </filters>
    <filterNonVulnerable>true</filterNonVulnerable>
  </retirejs>

User property is: retirejs.
<retireJsAnalyzerEnabled> Boolean - Sets whether or not the Retirejs Analyzer should be used.
User property is: retireJsAnalyzerEnabled.
<retireJsForceUpdate> Boolean - Whether the Retire JS repository will be updated regardless of the `autoupdate` settings.
User property is: retireJsForceUpdate.
<retireJsPassword> String - The password to authenticate to the CVE-URL.
User property is: retireJsPassword.
<retireJsUrl> String - The Retire JS repository URL.
User property is: retireJsUrl.
<retireJsUrlServerId> String - The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml for cve-URLs.
User property is: retireJsUrlServerId.
<retireJsUser> String - The username to use when connecting to the CVE-URL.
User property is: retireJsUser.
<rubygemsAnalyzerEnabled> Boolean - Sets whether the Ruby Gemspec Analyzer will be used.
User property is: rubygemsAnalyzerEnabled.
<scanDependencies> boolean - Whether the project's dependencies should also be scanned.
Default value is: true.
User property is: odc.dependencies.scan.
<scanDirectory> List<String> - A list of directories to scan. Note, this should only be used via the command line - if configuring the directories to scan consider using the `scanSet` instead.
User property is: scanDirectory.
<scanPlugins> boolean - Whether the project's plugins should also be scanned.
Default value is: false.
User property is: odc.plugins.scan.
<scanSet> List<FileSet> - An collection of fileSets that specify additional files and/or directories (from the basedir) to analyze as part of the scan. If not specified, defaults to Maven conventions of: src/main/resources, src/main/filters, and src/main/webapp. Note, this cannot be set via the command line - use `scanDirectory` instead.
<serverId> String - The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml.
User property is: serverId.
<showSummary> boolean - Flag indicating whether or not to show a summary in the output.
Default value is: true.
User property is: showSummary.
<skip> boolean - Skip Dependency Check altogether.
Default value is: false.
User property is: dependency-check.skip.
<skipArtifactType> String - Skip analysis for dependencies which type matches this regular expression. This filters on the `type` of dependency as defined in the dependency section: jar, pom, test-jar, etc.
User property is: skipArtifactType.
<skipDependencyManagement> boolean - Skip Analysis for dependencyManagement section.
Default value is: true.
User property is: skipDependencyManagement.
<skipProvidedScope> boolean - Skip Analysis for Provided Scope Dependencies.
Default value is: false.
User property is: skipProvidedScope.
<skipRuntimeScope> boolean - Skip Analysis for Runtime Scope Dependencies.
Default value is: false.
User property is: skipRuntimeScope.
<skipSystemScope> boolean - Skip Analysis for System Scope Dependencies.
Default value is: false.
User property is: skipSystemScope.
<skipTestScope> boolean - Skip Analysis for Test Scope Dependencies.
Default value is: true.
User property is: skipTestScope.
<suppressionFile> String - The paths to the suppression file. The parameter value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799)
User property is: suppressionFile.
<suppressionFilePassword> String - The password used when connecting to the suppressionFiles.
User property is: suppressionFilePassword.
<suppressionFiles> String[] - The paths to the suppression files. The parameter value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799)
User property is: suppressionFiles.
<suppressionFileServerId> String - The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml for suppressionFile(s).
User property is: suppressionFileServerId.
<suppressionFileUser> String - The username used when connecting to the suppressionFiles.
User property is: suppressionFileUser.
<swiftPackageManagerAnalyzerEnabled> Boolean - Whether or not the Swift package Analyzer is enabled.
User property is: swiftPackageManagerAnalyzerEnabled.
<swiftPackageResolvedAnalyzerEnabled> Boolean - Whether or not the Swift package resolved Analyzer is enabled.
User property is: swiftPackageResolvedAnalyzerEnabled.
<versionCheckEnabled> boolean - Sets whether dependency-check should check if there is a new version available.
Default value is: true.
User property is: versionCheckEnabled.
<virtualSnapshotsFromReactor> Boolean - Use pom dependency information for snapshot dependencies that are part of the Maven reactor while aggregate scanning a multi-module project.
Default value is: true.
User property is: dependency-check.virtualSnapshotsFromReactor.
<yarnAuditAnalyzerEnabled> Boolean - Sets whether or not the Yarn Audit Analyzer should be used.
User property is: yarnAuditAnalyzerEnabled.
<zipExtensions> String - A comma-separated list of file extensions to add to analysis next to jar, zip, ....
User property is: zipExtensions.

Parameter Details

<archiveAnalyzerEnabled>

Whether or not the Archive Analyzer is enabled.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: archiveAnalyzerEnabled

<artifactoryAnalyzerApiToken>

The API token to connect to Artifactory instance
  • Type: java.lang.String
  • Required: No
  • User Property: artifactoryAnalyzerApiToken

<artifactoryAnalyzerBearerToken>

The bearer token to connect to Artifactory instance
  • Type: java.lang.String
  • Required: No
  • User Property: artifactoryAnalyzerBearerToken

<artifactoryAnalyzerEnabled>

Whether or not the Artifactory Analyzer is enabled.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: artifactoryAnalyzerEnabled

<artifactoryAnalyzerParallelAnalysis>

Whether the Artifactory analyzer should be run in parallel or not.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: artifactoryAnalyzerParallelAnalysis
  • Default: true

<artifactoryAnalyzerServerId>

The serverId inside the settings.xml containing the username and token to access artifactory
  • Type: java.lang.String
  • Required: No
  • User Property: artifactoryAnalyzerServerId

<artifactoryAnalyzerUrl>

The Artifactory URL for the Artifactory analyzer.
  • Type: java.lang.String
  • Required: No
  • User Property: artifactoryAnalyzerUrl

<artifactoryAnalyzerUseProxy>

Whether Artifactory should be accessed through a proxy or not
  • Type: java.lang.Boolean
  • Required: No
  • User Property: artifactoryAnalyzerUseProxy

<artifactoryAnalyzerUsername>

The username (only used with API token) to connect to Artifactory instance
  • Type: java.lang.String
  • Required: No
  • User Property: artifactoryAnalyzerUsername

<assemblyAnalyzerEnabled>

Whether or not the .NET Assembly Analyzer is enabled.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: assemblyAnalyzerEnabled

<autoconfAnalyzerEnabled>

Sets whether or not the autoconf Analyzer should be used.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: autoconfAnalyzerEnabled

<autoUpdate>

Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. Default is true.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: autoUpdate

<bundleAuditAnalyzerEnabled>

Whether or not the Ruby Bundle Audit Analyzer is enabled.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: bundleAuditAnalyzerEnabled

<bundleAuditPath>

Sets the path for the bundle-audit binary.
  • Type: java.lang.String
  • Required: No
  • User Property: bundleAuditPath

<bundleAuditWorkingDirectory>

Sets the path for the working directory that the bundle-audit binary should be executed from.
  • Type: java.lang.String
  • Required: No
  • User Property: bundleAuditWorkingDirectory

<centralAnalyzerEnabled>

Whether or not the Central Analyzer is enabled.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: centralAnalyzerEnabled

<centralAnalyzerUseCache>

Whether or not the Central Analyzer should use a local cache.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: centralAnalyzerUseCache

<cmakeAnalyzerEnabled>

Sets whether or not the CMake Analyzer should be used.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: cmakeAnalyzerEnabled

<cocoapodsAnalyzerEnabled>

Whether or not the CocoaPods Analyzer is enabled.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: cocoapodsAnalyzerEnabled

<composerAnalyzerEnabled>

Sets whether or not the PHP Composer Lock File Analyzer should be used.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: composerAnalyzerEnabled

<connectionString>

The database connection string.
  • Type: java.lang.String
  • Required: No
  • User Property: connectionString

<connectionTimeout>

The Connection Timeout.
  • Type: java.lang.String
  • Required: No
  • User Property: connectionTimeout

<cpanfileAnalyzerEnabled>

Whether or not the Perl CPAN File Analyzer is enabled.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: cpanfileAnalyzerEnabled

<cvePassword>

The password to authenticate to the CVE-URL.
  • Type: java.lang.String
  • Required: No
  • User Property: cvePassword

<cveServerId>

The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml for cve-URLs.
  • Type: java.lang.String
  • Required: No
  • User Property: cveServerId

<cveStartYear>

Specify the first year of NVD CVE data to download; default is 2002.
  • Type: java.lang.Integer
  • Required: No
  • User Property: cveStartYear

<cveUrlBase>

Base Data Mirror URL for CVE 1.2.
  • Type: java.lang.String
  • Required: No
  • User Property: cveUrlBase

<cveUrlModified>

Data Mirror URL for CVE 1.2.
  • Type: java.lang.String
  • Required: No
  • User Property: cveUrlModified

<cveUser>

The username to use when connecting to the CVE-URL.
  • Type: java.lang.String
  • Required: No
  • User Property: cveUser

<cveValidForHours>

Optionally skip excessive CVE update checks for a designated duration in hours.
  • Type: java.lang.Integer
  • Required: No
  • User Property: cveValidForHours

<cveWaitTime>

The wait timeout between downloading from the NVD.
  • Type: java.lang.String
  • Required: No
  • User Property: cveWaitTime

<dartAnalyzerEnabled>

Sets whether the Dart analyzer is enabled. Default is true.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: dartAnalyzerEnabled

<databaseDriverName>

The database driver name. An example would be org.h2.Driver.
  • Type: java.lang.String
  • Required: No
  • User Property: databaseDriverName

<databaseDriverPath>

The path to the database driver if it is not on the class path.
  • Type: java.lang.String
  • Required: No
  • User Property: databaseDriverPath

<databasePassword>

The password to use when connecting to the database.
  • Type: java.lang.String
  • Required: No
  • User Property: databasePassword

<databaseUser>

The database user name.
  • Type: java.lang.String
  • Required: No
  • User Property: databaseUser

<dataDirectory>

The data directory, hold DC SQL DB.
  • Type: java.lang.String
  • Required: No
  • User Property: dataDirectory

<dbFilename>

The name of the DC DB.
  • Type: java.lang.String
  • Required: No
  • User Property: dbFilename

<enableExperimental>

Sets whether Experimental analyzers are enabled. Default is false.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: enableExperimental

<enableRetired>

Sets whether retired analyzers are enabled. Default is false.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: enableRetired

<excludes>

The list of artifacts (and their transitive dependencies) to exclude from the check.
  • Type: java.util.List<java.lang.String>
  • Required: No
  • User Property: odc.excludes

<failBuildOnAnyVulnerability>

Deprecated. use failBuildOnCVSS with a value of 0 instead
Fail the build if any dependency has a vulnerability listed.
  • Type: boolean
  • Required: Yes
  • User Property: failBuildOnAnyVulnerability
  • Default: false

<failBuildOnCVSS>

Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail.
  • Type: float
  • Required: Yes
  • User Property: failBuildOnCVSS
  • Default: 11

<failOnError>

Sets whether or not the mojo should fail if an error occurs.
  • Type: boolean
  • Required: Yes
  • User Property: failOnError
  • Default: true

<format>

The report format to be generated (HTML, XML, JUNIT, CSV, JSON, SARIF, JENKINS, ALL). Multiple formats can be selected using a comma delineated list.
  • Type: java.lang.String
  • Required: Yes
  • User Property: format
  • Default: HTML

<formats>

The report format to be generated (HTML, XML, JUNIT, CSV, JSON, SARIF, JENKINS, ALL). Multiple formats can be selected using a comma delineated list.
  • Type: java.lang.String[]
  • Required: Yes
  • User Property: formats

<golangDepEnabled>

Sets whether the Golang Dependency analyzer is enabled. Default is true.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: golangDepEnabled

<golangModEnabled>

Sets whether Golang Module Analyzer is enabled; this requires `go` to be installed. Default is true.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: golangModEnabled

<hintsFile>

The path to the hints file.
  • Type: java.lang.String
  • Required: No
  • User Property: hintsFile

<hostedSuppressionsEnabled>

Whether the hosted suppressions file will be used.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: hostedSuppressionsEnabled

<hostedSuppressionsForceUpdate>

Whether the hosted suppressions file will be updated regardless of the `autoupdate` settings.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: hostedSuppressionsForceUpdate

<hostedSuppressionsUrl>

The hosted suppressions file URL.
  • Type: java.lang.String
  • Required: No
  • User Property: hostedSuppressionsUrl

<hostedSuppressionsValidForHours>

Skip excessive hosted suppression file update checks for a designated duration in hours (defaults to 2 hours).
  • Type: java.lang.Integer
  • Required: No
  • User Property: hostedSuppressionsValidForHours

<jarAnalyzerEnabled>

Whether or not the Jar Analyzer is enabled.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: jarAnalyzerEnabled

<junitFailOnCVSS>

Specifies the CVSS score that is considered a "test" failure when generating a jUnit style report. The default value is 0 - all vulnerabilities are considered a failure.
  • Type: float
  • Required: Yes
  • User Property: junitFailOnCVSS
  • Default: 0

<knownExploitedEnabled>

Whether or not the Known Exploited Vulnerability Analyzer is enabled.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: knownExploitedEnabled

<knownExploitedUrl>

The URL to the CISA Known Exploited Vulnerabilities JSON datafeed.
  • Type: java.lang.String
  • Required: No
  • User Property: knownExploitedUrl

<mavenInstallAnalyzerEnabled>

Sets whether or not the Maven install Analyzer should be used.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: mavenInstallAnalyzerEnabled

<mavenSettings>

The Maven settings.
  • Type: org.apache.maven.settings.Settings
  • Required: No
  • User Property: mavenSettings
  • Default: ${settings}

<mavenSettingsProxyId>

The maven settings proxy id.
  • Type: java.lang.String
  • Required: No
  • User Property: mavenSettingsProxyId

<mixAuditAnalyzerEnabled>

Whether or not the Elixir Mix Audit Analyzer is enabled.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: mixAuditAnalyzerEnabled

<mixAuditPath>

Sets the path for the mix_audit binary.
  • Type: java.lang.String
  • Required: No
  • User Property: mixAuditPath

<msbuildAnalyzerEnabled>

Whether or not the MS Build Analyzer is enabled.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: msbuildAnalyzerEnabled

<name>

The name of the report in the site.
  • Type: java.lang.String
  • Required: Yes
  • User Property: name
  • Default: dependency-check:aggregate

<nexusAnalyzerEnabled>

Whether or not the Nexus Analyzer is enabled.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: nexusAnalyzerEnabled

<nexusServerId>

The id of a server defined in the settings.xml that configures the credentials (username and password) for a Nexus server's REST API end point. When not specified the communication with the Nexus server's REST API will be unauthenticated.
  • Type: java.lang.String
  • Required: No
  • User Property: nexusServerId

<nexusUrl>

The URL of a Nexus server's REST API end point (http://domain/nexus/service/local).
  • Type: java.lang.String
  • Required: No
  • User Property: nexusUrl

<nexusUsesProxy>

Whether or not the configured proxy is used to connect to Nexus.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: nexusUsesProxy

<nodeAnalyzerEnabled>

Sets whether or not the Node.js Analyzer should be used.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: nodeAnalyzerEnabled

<nodeAuditAnalyzerEnabled>

Sets whether or not the Node Audit Analyzer should be used.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: nodeAuditAnalyzerEnabled

<nodeAuditAnalyzerUrl>

The Node Audit API URL for the Node Audit Analyzer.
  • Type: java.lang.String
  • Required: No
  • User Property: nodeAuditAnalyzerUrl

<nodeAuditAnalyzerUseCache>

Sets whether or not the Node Audit Analyzer should use a local cache.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: nodeAuditAnalyzerUseCache

<nodeAuditSkipDevDependencies>

Sets whether or not the Node Audit Analyzer should skip devDependencies.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: nodeAuditSkipDevDependencies

<nodePackageSkipDevDependencies>

Sets whether or not the Node.js Analyzer should skip devDependencies.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: nodePackageSkipDevDependencies

<nugetconfAnalyzerEnabled>

Whether or not the .NET packages.config Analyzer is enabled.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: nugetconfAnalyzerEnabled

<nuspecAnalyzerEnabled>

Whether or not the .NET Nuspec Analyzer is enabled.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: nuspecAnalyzerEnabled

<opensslAnalyzerEnabled>

Sets whether or not the openssl Analyzer should be used.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: opensslAnalyzerEnabled

<ossindexAnalyzerEnabled>

Whether or not the Sonatype OSS Index analyzer is enabled.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: ossindexAnalyzerEnabled

<ossindexAnalyzerUrl>

URL of the Sonatype OSS Index service.
  • Type: java.lang.String
  • Required: No
  • User Property: ossindexAnalyzerUrl

<ossindexAnalyzerUseCache>

Whether or not the Sonatype OSS Index analyzer should cache results.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: ossindexAnalyzerUseCache

<ossIndexServerId>

The id of a server defined in the settings.xml that configures the credentials (username and password) for a OSS Index service.
  • Type: java.lang.String
  • Required: No
  • User Property: ossIndexServerId

<ossIndexWarnOnlyOnRemoteErrors>

Whether we should only warn about Sonatype OSS Index remote errors instead of failing the goal completely.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: ossIndexWarnOnlyOnRemoteErrors

<outputDirectory>

The output directory. This generally maps to "target".
  • Type: java.io.File
  • Required: Yes
  • User Property: odc.outputDirectory
  • Default: ${project.build.directory}

<pathToCore>

The path to dotnet core.
  • Type: java.lang.String
  • Required: No
  • User Property: pathToCore

<pathToGo>

Sets the path to `go`.
  • Type: java.lang.String
  • Required: No
  • User Property: pathToGo

<pathToPnpm>

Sets the path to `pnpm`.
  • Type: java.lang.String
  • Required: No
  • User Property: pathToPnpm

<pathToYarn>

Sets the path to `yarn`.
  • Type: java.lang.String
  • Required: No
  • User Property: pathToYarn

<pipAnalyzerEnabled>

Sets whether or not the pip Analyzer should be used.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: pipAnalyzerEnabled

<pipfileAnalyzerEnabled>

Sets whether or not the pipfile Analyzer should be used.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: pipfileAnalyzerEnabled

<pnpmAuditAnalyzerEnabled>

Sets whether or not the Pnpm Audit Analyzer should be used.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: pnpmAuditAnalyzerEnabled

<poetryAnalyzerEnabled>

Sets whether or not the poetry Analyzer should be used.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: poetryAnalyzerEnabled

<prettyPrint>

Whether or not the XML and JSON report formats should be pretty printed. The default is false.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: prettyPrint

<pyDistributionAnalyzerEnabled>

Sets whether the Python Distribution Analyzer will be used.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: pyDistributionAnalyzerEnabled

<pyPackageAnalyzerEnabled>

Sets whether the Python Package Analyzer will be used.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: pyPackageAnalyzerEnabled

<readTimeout>

The Read Timeout.
  • Type: java.lang.String
  • Required: No
  • User Property: readTimeout

<retirejs>

The RetireJS Analyzer configuration:
  filters: an array of filter patterns that are used to exclude JS files that contain a match
  filterNonVulnerable: a boolean that when true will remove non-vulnerable JS from the report

Example:
  <retirejs>
    <filters>
      <filter>copyright 2018\(c\) Jeremy Long</filter>
    </filters>
    <filterNonVulnerable>true</filterNonVulnerable>
  </retirejs>
  • Type: org.owasp.dependencycheck.maven.Retirejs
  • Required: No
  • User Property: retirejs

<retireJsAnalyzerEnabled>

Sets whether or not the Retirejs Analyzer should be used.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: retireJsAnalyzerEnabled

<retireJsForceUpdate>

Whether the Retire JS repository will be updated regardless of the `autoupdate` settings.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: retireJsForceUpdate

<retireJsPassword>

The password to authenticate to the CVE-URL.
  • Type: java.lang.String
  • Required: No
  • User Property: retireJsPassword

<retireJsUrl>

The Retire JS repository URL.
  • Type: java.lang.String
  • Required: No
  • User Property: retireJsUrl

<retireJsUrlServerId>

The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml for cve-URLs.
  • Type: java.lang.String
  • Required: No
  • User Property: retireJsUrlServerId

<retireJsUser>

The username to use when connecting to the CVE-URL.
  • Type: java.lang.String
  • Required: No
  • User Property: retireJsUser

<rubygemsAnalyzerEnabled>

Sets whether the Ruby Gemspec Analyzer will be used.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: rubygemsAnalyzerEnabled

<scanDependencies>

Whether the project's dependencies should also be scanned.
  • Type: boolean
  • Required: No
  • User Property: odc.dependencies.scan
  • Default: true

<scanDirectory>

A list of directories to scan. Note, this should only be used via the command line - if configuring the directories to scan consider using the `scanSet` instead.
  • Type: java.util.List<java.lang.String>
  • Required: No
  • User Property: scanDirectory

<scanPlugins>

Whether the project's plugins should also be scanned.
  • Type: boolean
  • Required: No
  • User Property: odc.plugins.scan
  • Default: false

<scanSet>

An collection of fileSets that specify additional files and/or directories (from the basedir) to analyze as part of the scan. If not specified, defaults to Maven conventions of: src/main/resources, src/main/filters, and src/main/webapp. Note, this cannot be set via the command line - use `scanDirectory` instead.
  • Type: java.util.List<org.apache.maven.shared.model.fileset.FileSet>
  • Required: No

<serverId>

The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml.
  • Type: java.lang.String
  • Required: No
  • User Property: serverId

<showSummary>

Flag indicating whether or not to show a summary in the output.
  • Type: boolean
  • Required: No
  • User Property: showSummary
  • Default: true

<skip>

Skip Dependency Check altogether.
  • Type: boolean
  • Required: No
  • User Property: dependency-check.skip
  • Default: false

<skipArtifactType>

Skip analysis for dependencies which type matches this regular expression. This filters on the `type` of dependency as defined in the dependency section: jar, pom, test-jar, etc.
  • Type: java.lang.String
  • Required: No
  • User Property: skipArtifactType

<skipDependencyManagement>

Skip Analysis for dependencyManagement section.
  • Type: boolean
  • Required: No
  • User Property: skipDependencyManagement
  • Default: true

<skipProvidedScope>

Skip Analysis for Provided Scope Dependencies.
  • Type: boolean
  • Required: No
  • User Property: skipProvidedScope
  • Default: false

<skipRuntimeScope>

Skip Analysis for Runtime Scope Dependencies.
  • Type: boolean
  • Required: No
  • User Property: skipRuntimeScope
  • Default: false

<skipSystemScope>

Skip Analysis for System Scope Dependencies.
  • Type: boolean
  • Required: No
  • User Property: skipSystemScope
  • Default: false

<skipTestScope>

Skip Analysis for Test Scope Dependencies.
  • Type: boolean
  • Required: No
  • User Property: skipTestScope
  • Default: true

<suppressionFile>

The paths to the suppression file. The parameter value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799)
  • Type: java.lang.String
  • Required: No
  • User Property: suppressionFile

<suppressionFilePassword>

The password used when connecting to the suppressionFiles.
  • Type: java.lang.String
  • Required: No
  • User Property: suppressionFilePassword

<suppressionFiles>

The paths to the suppression files. The parameter value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799)
  • Type: java.lang.String[]
  • Required: No
  • User Property: suppressionFiles

<suppressionFileServerId>

The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml for suppressionFile(s).
  • Type: java.lang.String
  • Required: No
  • User Property: suppressionFileServerId

<suppressionFileUser>

The username used when connecting to the suppressionFiles.
  • Type: java.lang.String
  • Required: No
  • User Property: suppressionFileUser

<swiftPackageManagerAnalyzerEnabled>

Whether or not the Swift package Analyzer is enabled.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: swiftPackageManagerAnalyzerEnabled

<swiftPackageResolvedAnalyzerEnabled>

Whether or not the Swift package resolved Analyzer is enabled.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: swiftPackageResolvedAnalyzerEnabled

<versionCheckEnabled>

Sets whether dependency-check should check if there is a new version available.
  • Type: boolean
  • Required: No
  • User Property: versionCheckEnabled
  • Default: true

<virtualSnapshotsFromReactor>

Use pom dependency information for snapshot dependencies that are part of the Maven reactor while aggregate scanning a multi-module project.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: dependency-check.virtualSnapshotsFromReactor
  • Default: true

<yarnAuditAnalyzerEnabled>

Sets whether or not the Yarn Audit Analyzer should be used.
  • Type: java.lang.Boolean
  • Required: No
  • User Property: yarnAuditAnalyzerEnabled

<zipExtensions>

A comma-separated list of file extensions to add to analysis next to jar, zip, ....
  • Type: java.lang.String
  • Required: No
  • User Property: zipExtensions