dependency-check:aggregate
Note:
This goal should be used as a Maven report.
Full name:
org.owasp:dependency-check-maven:11.1.0:aggregate
Description:
Maven Plugin that checks project dependencies and the dependencies of all child modules to see if they have any known published vulnerabilities.
Attributes:
- Requires a Maven project to be executed.
- Executes as an aggregator goal.
- Requires dependency resolution of artifacts in scope:
compile+runtime
. - The goal is thread-safe and supports parallel builds.
- Binds by default to the lifecycle phase:
verify
. - Requires that Maven runs in online mode.
Required Parameters
Name | Type | Since | Description |
---|---|---|---|
<failBuildOnAnyVulnerability> |
boolean |
- |
Deprecated. use failBuildOnCVSS with a value of 0 insteadFail the build if any dependency has a vulnerability listed. Default: false User Property: failBuildOnAnyVulnerability |
<failBuildOnCVSS> |
float |
- |
Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. Default: 11 User Property: failBuildOnCVSS |
<failOnError> |
boolean |
- |
Sets whether or not the mojo should fail if an error occurs. Default: true User Property: failOnError |
<format> |
String |
- |
The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL). Multiple formats can be selected using a comma delineated list. Default: HTML User Property: format |
<formats> |
String[] |
- |
The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL). Multiple formats can be selected using a comma delineated list. User Property: formats |
<junitFailOnCVSS> |
float |
- |
Specifies the CVSS score that is considered a "test" failure when generating a jUnit style report. The default value is 0 - all vulnerabilities are considered a failure. Default: 0 User Property: junitFailOnCVSS |
<name> |
String |
- |
The name of the report in the site. Default: dependency-check:aggregate User Property: name |
<outputDirectory> |
File |
- |
The output directory. This generally maps to "target". Default: ${project.build.directory} User Property: odc.outputDirectory |
Optional Parameters
Name | Type | Since | Description |
---|---|---|---|
<archiveAnalyzerEnabled> |
Boolean |
- |
Whether or not the Archive Analyzer is enabled. User Property: archiveAnalyzerEnabled |
<artifactoryAnalyzerApiToken> |
String |
- |
The API token to connect to Artifactory instance User Property: artifactoryAnalyzerApiToken |
<artifactoryAnalyzerBearerToken> |
String |
- |
The bearer token to connect to Artifactory instance User Property: artifactoryAnalyzerBearerToken |
<artifactoryAnalyzerEnabled> |
Boolean |
- |
Whether or not the Artifactory Analyzer is enabled. User Property: artifactoryAnalyzerEnabled |
<artifactoryAnalyzerParallelAnalysis> |
Boolean |
- |
Whether the Artifactory analyzer should be run in parallel or not. Default: true User Property: artifactoryAnalyzerParallelAnalysis |
<artifactoryAnalyzerServerId> |
String |
- |
The serverId inside the settings.xml containing the username and token to access artifactory User Property: artifactoryAnalyzerServerId |
<artifactoryAnalyzerUrl> |
String |
- |
The Artifactory URL for the Artifactory analyzer. User Property: artifactoryAnalyzerUrl |
<artifactoryAnalyzerUseProxy> |
Boolean |
- |
Whether Artifactory should be accessed through a proxy or not User Property: artifactoryAnalyzerUseProxy |
<artifactoryAnalyzerUsername> |
String |
- |
The username (only used with API token) to connect to Artifactory instance User Property: artifactoryAnalyzerUsername |
<assemblyAnalyzerEnabled> |
Boolean |
- |
Whether or not the .NET Assembly Analyzer is enabled. User Property: assemblyAnalyzerEnabled |
<autoUpdate> |
Boolean |
- |
Sets whether auto-updating of the NVD CVE data is enabled. It is not recommended that this be turned to false. Default is true. User Property: autoUpdate |
<autoconfAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the autoconf Analyzer should be used. User Property: autoconfAnalyzerEnabled |
<bundleAuditAnalyzerEnabled> |
Boolean |
- |
Whether or not the Ruby Bundle Audit Analyzer is enabled. User Property: bundleAuditAnalyzerEnabled |
<bundleAuditPath> |
String |
- |
Sets the path for the bundle-audit binary. User Property: bundleAuditPath |
<bundleAuditWorkingDirectory> |
String |
- |
Sets the path for the working directory that the bundle-audit binary should be executed from. User Property: bundleAuditWorkingDirectory |
<carthageAnalyzerEnabled> |
Boolean |
- |
Whether or not the Carthage Analyzer is enabled. User Property: carthageAnalyzerEnabled |
<centralAnalyzerEnabled> |
Boolean |
- |
Whether or not the Central Analyzer is enabled. User Property: centralAnalyzerEnabled |
<centralAnalyzerUseCache> |
Boolean |
- |
Whether or not the Central Analyzer should use a local cache. User Property: centralAnalyzerUseCache |
<cmakeAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the CMake Analyzer should be used. User Property: cmakeAnalyzerEnabled |
<cocoapodsAnalyzerEnabled> |
Boolean |
- |
Whether or not the CocoaPods Analyzer is enabled. User Property: cocoapodsAnalyzerEnabled |
<composerAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the PHP Composer Lock File Analyzer should be used. User Property: composerAnalyzerEnabled |
<composerAnalyzerSkipDev> |
boolean |
- |
Sets whether or not the PHP Composer Lock File Analyzer will scan "packages-dev". User Property: composerAnalyzerSkipDev |
<connectionString> |
String |
- |
The database connection string. User Property: connectionString |
<connectionTimeout> |
String |
- |
The Connection Timeout. User Property: connectionTimeout |
<cpanfileAnalyzerEnabled> |
Boolean |
- |
Whether or not the Perl CPAN File Analyzer is enabled. User Property: cpanfileAnalyzerEnabled |
<dartAnalyzerEnabled> |
Boolean |
- |
Sets whether the Dart analyzer is enabled. Default is true. User Property: dartAnalyzerEnabled |
<dataDirectory> |
String |
- |
The data directory, hold DC SQL DB. User Property: dataDirectory |
<databaseDriverName> |
String |
- |
The database driver name. An example would be org.h2.Driver. User Property: databaseDriverName |
<databaseDriverPath> |
String |
- |
The path to the database driver if it is not on the class path. User Property: databaseDriverPath |
<databasePassword> |
String |
- |
The password to use when connecting to the database. The `serverId` should be used instead otherwise maven debug logging could expose the password. User Property: databasePassword |
<databaseUser> |
String |
- |
The database user name. User Property: databaseUser |
<dbFilename> |
String |
- |
The name of the DC DB. User Property: dbFilename |
<enableExperimental> |
Boolean |
- |
Sets whether Experimental analyzers are enabled. Default is false. User Property: enableExperimental |
<enableRetired> |
Boolean |
- |
Sets whether retired analyzers are enabled. Default is false. User Property: enableRetired |
<excludes> |
List<String> |
- |
The list of artifacts (and their transitive dependencies) to exclude from the check. User Property: odc.excludes |
<golangDepEnabled> |
Boolean |
- |
Sets whether the Golang Dependency analyzer is enabled. Default is true. User Property: golangDepEnabled |
<golangModEnabled> |
Boolean |
- |
Sets whether Golang Module Analyzer is enabled; this requires `go` to be installed. Default is true. User Property: golangModEnabled |
<hintsFile> |
String |
- |
The path to the hints file. User Property: hintsFile |
<hostedSuppressionsEnabled> |
Boolean |
- |
Whether the hosted suppressions file will be used. User Property: hostedSuppressionsEnabled |
<hostedSuppressionsForceUpdate> |
Boolean |
- |
Whether the hosted suppressions file will be updated regardless of the `autoupdate` settings. User Property: hostedSuppressionsForceUpdate |
<hostedSuppressionsUrl> |
String |
- |
The hosted suppressions file URL. User Property: hostedSuppressionsUrl |
<hostedSuppressionsValidForHours> |
Integer |
- |
Skip excessive hosted suppression file update checks for a designated duration in hours (defaults to 2 hours). User Property: hostedSuppressionsValidForHours |
<jarAnalyzerEnabled> |
Boolean |
- |
Whether or not the Jar Analyzer is enabled. User Property: jarAnalyzerEnabled |
<knownExploitedEnabled> |
Boolean |
- |
Whether or not the Known Exploited Vulnerability Analyzer is enabled. User Property: knownExploitedEnabled |
<knownExploitedUrl> |
String |
- |
The URL to the CISA Known Exploited Vulnerabilities JSON datafeed. User Property: knownExploitedUrl |
<libmanAnalyzerEnabled> |
Boolean |
- |
Whether or not the Libman Analyzer is enabled. User Property: libmanAnalyzerEnabled |
<mavenInstallAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the Maven install Analyzer should be used. User Property: mavenInstallAnalyzerEnabled |
<mavenSettings> |
Settings |
- |
The Maven settings. Default: ${settings} User Property: mavenSettings |
<mavenSettingsProxyId> |
String |
- |
The maven settings proxy id. User Property: mavenSettingsProxyId |
<mixAuditAnalyzerEnabled> |
Boolean |
- |
Whether or not the Elixir Mix Audit Analyzer is enabled. User Property: mixAuditAnalyzerEnabled |
<mixAuditPath> |
String |
- |
Sets the path for the mix_audit binary. User Property: mixAuditPath |
<msbuildAnalyzerEnabled> |
Boolean |
- |
Whether or not the MS Build Analyzer is enabled. User Property: msbuildAnalyzerEnabled |
<nexusAnalyzerEnabled> |
Boolean |
- |
Whether or not the Nexus Analyzer is enabled. User Property: nexusAnalyzerEnabled |
<nexusServerId> |
String |
- |
The id of a server defined in the settings.xml that configures the credentials (username and password) for a Nexus server's REST API end point. When not specified the communication with the Nexus server's REST API will be unauthenticated. User Property: nexusServerId |
<nexusUrl> |
String |
- |
The URL of a Nexus server's REST API end point (http://domain/nexus/service/local). User Property: nexusUrl |
<nexusUsesProxy> |
Boolean |
- |
Whether or not the configured proxy is used to connect to Nexus. User Property: nexusUsesProxy |
<nodeAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the Node.js Analyzer should be used. User Property: nodeAnalyzerEnabled |
<nodeAuditAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the Node Audit Analyzer should be used. User Property: nodeAuditAnalyzerEnabled |
<nodeAuditAnalyzerUrl> |
String |
- |
The Node Audit API URL for the Node Audit Analyzer. User Property: nodeAuditAnalyzerUrl |
<nodeAuditAnalyzerUseCache> |
Boolean |
- |
Sets whether or not the Node Audit Analyzer should use a local cache. User Property: nodeAuditAnalyzerUseCache |
<nodeAuditSkipDevDependencies> |
Boolean |
- |
Sets whether or not the Node Audit Analyzer should skip devDependencies. User Property: nodeAuditSkipDevDependencies |
<nodePackageSkipDevDependencies> |
Boolean |
- |
Sets whether or not the Node.js Analyzer should skip devDependencies. User Property: nodePackageSkipDevDependencies |
<nugetconfAnalyzerEnabled> |
Boolean |
- |
Whether or not the .NET packages.config Analyzer is enabled. User Property: nugetconfAnalyzerEnabled |
<nuspecAnalyzerEnabled> |
Boolean |
- |
Whether or not the .NET Nuspec Analyzer is enabled. User Property: nuspecAnalyzerEnabled |
<nvdApiDelay> |
Integer |
- |
The time in milliseconds to wait between downloading NVD API data. User Property: nvdApiDelay |
<nvdApiEndpoint> |
String |
- |
The NVD API Endpoint; setting this is uncommon. User Property: nvdApiEndpoint |
<nvdApiKey> |
String |
- |
The NVD API Key. The parameters nvdApiKeyEnvironmentVariable or nvdApiServerId should be used instead otherwise Maven debug logging could expose the API Key (see GHSA-qqhq-8r2c-c3f5). This takes precedence over nvdApiServerId and nvdApiKeyEnvironmentVariable .User Property: nvdApiKey |
<nvdApiKeyEnvironmentVariable> |
String |
- |
The environment variable from which to retrieve the API key for the NVD API. Takes precedence over nvdApiServerId but is potentially overwritten by nvdApiKey . This is the recommended option to pass the API key in CI builds.User Property: nvdApiKeyEnvironmentVariable |
<nvdApiResultsPerPage> |
Integer |
- |
The number records for a single page from NVD API (must be <=2000). User Property: nvdApiResultsPerPage |
<nvdApiServerId> |
String |
- |
The server id in the settings.xml; used to retrieve encrypted API Key from the settings.xml for the NVD API Key. Note that the password is used as the API Key. Is potentially overwritten by nvdApiKeyEnvironmentVariable or nvdApiKey .User Property: nvdApiServerId |
<nvdDatafeedServerId> |
String |
- |
The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml for the NVD Data Feed. User Property: nvdDatafeedServerId |
<nvdDatafeedUrl> |
String |
- |
The NVD API Data Feed URL. User Property: nvdDatafeedUrl |
<nvdMaxRetryCount> |
Integer |
- |
The maximum number of retry requests for a single call to the NVD API. User Property: nvdMaxRetryCount |
<nvdPassword> |
String |
- |
The password for basic auth to the NVD Data Feed. User Property: nvdPassword |
<nvdUser> |
String |
- |
The username for basic auth to the NVD Data Feed. User Property: nvdUser |
<nvdValidForHours> |
Integer |
- |
The number of hours to wait before checking for new updates from the NVD. User Property: nvdValidForHours |
<opensslAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the openssl Analyzer should be used. User Property: opensslAnalyzerEnabled |
<ossIndexServerId> |
String |
- |
The id of a server defined in the settings.xml that configures the credentials (username and password) for a OSS Index service. User Property: ossIndexServerId |
<ossIndexWarnOnlyOnRemoteErrors> |
Boolean |
- |
Whether we should only warn about Sonatype OSS Index remote errors instead of failing the goal completely. User Property: ossIndexWarnOnlyOnRemoteErrors |
<ossindexAnalyzerEnabled> |
Boolean |
- |
Whether or not the Sonatype OSS Index analyzer is enabled. User Property: ossindexAnalyzerEnabled |
<ossindexAnalyzerUrl> |
String |
- |
URL of the Sonatype OSS Index service. User Property: ossindexAnalyzerUrl |
<ossindexAnalyzerUseCache> |
Boolean |
- |
Whether or not the Sonatype OSS Index analyzer should cache results. User Property: ossindexAnalyzerUseCache |
<pathToCore> |
String |
- |
The path to dotnet core. User Property: pathToCore |
<pathToGo> |
String |
- |
Sets the path to `go`. User Property: pathToGo |
<pathToPnpm> |
String |
- |
Sets the path to `pnpm`. User Property: pathToPnpm |
<pathToYarn> |
String |
- |
Sets the path to `yarn`. User Property: pathToYarn |
<pipAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the pip Analyzer should be used. User Property: pipAnalyzerEnabled |
<pipfileAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the pipfile Analyzer should be used. User Property: pipfileAnalyzerEnabled |
<pnpmAuditAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the Pnpm Audit Analyzer should be used. User Property: pnpmAuditAnalyzerEnabled |
<poetryAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the poetry Analyzer should be used. User Property: poetryAnalyzerEnabled |
<prettyPrint> |
Boolean |
- |
Whether or not the XML and JSON report formats should be pretty printed. The default is false. User Property: prettyPrint |
<proxy> |
ProxyConfig |
- |
The proxy configuration. |
<pyDistributionAnalyzerEnabled> |
Boolean |
- |
Sets whether the Python Distribution Analyzer will be used. User Property: pyDistributionAnalyzerEnabled |
<pyPackageAnalyzerEnabled> |
Boolean |
- |
Sets whether the Python Package Analyzer will be used. User Property: pyPackageAnalyzerEnabled |
<readTimeout> |
String |
- |
The Read Timeout. User Property: readTimeout |
<retireJsAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the Retirejs Analyzer should be used. User Property: retireJsAnalyzerEnabled |
<retireJsForceUpdate> |
Boolean |
- |
Whether the Retire JS repository will be updated regardless of the `autoupdate` settings. User Property: retireJsForceUpdate |
<retireJsPassword> |
String |
- |
The password to authenticate to the CVE-URL. The `retireJsUrlServerId` should be used instead otherwise maven debug logging could expose the password. User Property: retireJsPassword |
<retireJsUrl> |
String |
- |
The Retire JS repository URL. User Property: retireJsUrl |
<retireJsUrlServerId> |
String |
- |
The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml for cve-URLs. User Property: retireJsUrlServerId |
<retireJsUser> |
String |
- |
The username to use when connecting to the CVE-URL. User Property: retireJsUser |
<retirejs> |
Retirejs |
- |
The RetireJS Analyzer configuration:
filters: an array of filter patterns that are used to exclude JS files that contain a match filterNonVulnerable: a boolean that when true will remove non-vulnerable JS from the report Example: <retirejs> <filters> <filter>copyright 2018\(c\) Jeremy Long</filter> </filters> <filterNonVulnerable>true</filterNonVulnerable> </retirejs> User Property: retirejs |
<rubygemsAnalyzerEnabled> |
Boolean |
- |
Sets whether the Ruby Gemspec Analyzer will be used. User Property: rubygemsAnalyzerEnabled |
<scanDependencies> |
boolean |
- |
Whether the project's dependencies should also be scanned. Default: true User Property: odc.dependencies.scan |
<scanDirectory> |
List<String> |
- |
A list of directories to scan. Note, this should only be used via the command line - if configuring the directories to scan consider using the `scanSet` instead. User Property: scanDirectory |
<scanPlugins> |
boolean |
- |
Whether the project's plugins should also be scanned. Default: false User Property: odc.plugins.scan |
<scanSet> |
List<FileSet> |
- |
An collection of fileSet s that specify additional files and/or directories (from the basedir) to analyze as part of the scan. If not specified, defaults to Maven conventions of: src/main/resources, src/main/filters, and src/main/webapp. Note, this cannot be set via the command line - use `scanDirectory` instead. |
<serverId> |
String |
- |
The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml. This is used for the database username and password. User Property: serverId |
<showSummary> |
boolean |
- |
Flag indicating whether or not to show a summary in the output. Default: true User Property: showSummary |
<skip> |
boolean |
- |
Skip Dependency Check altogether. Default: false User Property: dependency-check.skip |
<skipArtifactType> |
String |
- |
Skip analysis for dependencies which type matches this regular expression. This filters on the `type` of dependency as defined in the dependency section: jar, pom, test-jar, etc. User Property: skipArtifactType |
<skipDependencyManagement> |
boolean |
- |
Skip Analysis for dependencyManagement section. Default: true User Property: skipDependencyManagement |
<skipProvidedScope> |
boolean |
- |
Skip Analysis for Provided Scope Dependencies. Default: false User Property: skipProvidedScope |
<skipRuntimeScope> |
boolean |
- |
Skip Analysis for Runtime Scope Dependencies. Default: false User Property: skipRuntimeScope |
<skipSystemScope> |
boolean |
- |
Skip Analysis for System Scope Dependencies. Default: false User Property: skipSystemScope |
<skipTestScope> |
boolean |
- |
Skip Analysis for Test Scope Dependencies. Default: true User Property: skipTestScope |
<suppressionFile> |
String |
- |
The paths to the suppression file. The parameter value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799) User Property: suppressionFile |
<suppressionFilePassword> |
String |
- |
The password used when connecting to the suppressionFiles. The `suppressionFileServerId` should be used instead otherwise maven debug logging could expose the password. User Property: suppressionFilePassword |
<suppressionFileServerId> |
String |
- |
The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml for suppressionFile(s). User Property: suppressionFileServerId |
<suppressionFileUser> |
String |
- |
The username used when connecting to the suppressionFiles. User Property: suppressionFileUser |
<suppressionFiles> |
String[] |
- |
The paths to the suppression files. The parameter value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799) User Property: suppressionFiles |
<swiftPackageManagerAnalyzerEnabled> |
Boolean |
- |
Whether or not the Swift package Analyzer is enabled. User Property: swiftPackageManagerAnalyzerEnabled |
<swiftPackageResolvedAnalyzerEnabled> |
Boolean |
- |
Whether or not the Swift package resolved Analyzer is enabled. User Property: swiftPackageResolvedAnalyzerEnabled |
<versionCheckEnabled> |
boolean |
- |
Sets whether dependency-check should check if there is a new version available. Default: true User Property: versionCheckEnabled |
<virtualSnapshotsFromReactor> |
Boolean |
- |
Use pom dependency information for snapshot dependencies that are part of the Maven reactor while aggregate scanning a multi-module project. Default: true User Property: dependency-check.virtualSnapshotsFromReactor |
<yarnAuditAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the Yarn Audit Analyzer should be used. User Property: yarnAuditAnalyzerEnabled |
<zipExtensions> |
String |
- |
A comma-separated list of file extensions to add to analysis next to jar, zip, .... User Property: zipExtensions |
Parameter Details
<archiveAnalyzerEnabled>
Whether or not the Archive Analyzer is enabled.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
archiveAnalyzerEnabled
<artifactoryAnalyzerApiToken>
The API token to connect to Artifactory instance
- Type:
java.lang.String
- Required:
No
- User Property:
artifactoryAnalyzerApiToken
<artifactoryAnalyzerBearerToken>
The bearer token to connect to Artifactory instance
- Type:
java.lang.String
- Required:
No
- User Property:
artifactoryAnalyzerBearerToken
<artifactoryAnalyzerEnabled>
Whether or not the Artifactory Analyzer is enabled.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
artifactoryAnalyzerEnabled
<artifactoryAnalyzerParallelAnalysis>
Whether the Artifactory analyzer should be run in parallel or not.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
artifactoryAnalyzerParallelAnalysis
- Default:
true
<artifactoryAnalyzerServerId>
The serverId inside the settings.xml containing the username and token to access artifactory
- Type:
java.lang.String
- Required:
No
- User Property:
artifactoryAnalyzerServerId
<artifactoryAnalyzerUrl>
The Artifactory URL for the Artifactory analyzer.
- Type:
java.lang.String
- Required:
No
- User Property:
artifactoryAnalyzerUrl
<artifactoryAnalyzerUseProxy>
Whether Artifactory should be accessed through a proxy or not
- Type:
java.lang.Boolean
- Required:
No
- User Property:
artifactoryAnalyzerUseProxy
<artifactoryAnalyzerUsername>
The username (only used with API token) to connect to Artifactory instance
- Type:
java.lang.String
- Required:
No
- User Property:
artifactoryAnalyzerUsername
<assemblyAnalyzerEnabled>
Whether or not the .NET Assembly Analyzer is enabled.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
assemblyAnalyzerEnabled
<autoUpdate>
Sets whether auto-updating of the NVD CVE data is enabled. It is not recommended that this be turned to false. Default is true.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
autoUpdate
<autoconfAnalyzerEnabled>
Sets whether or not the autoconf Analyzer should be used.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
autoconfAnalyzerEnabled
<bundleAuditAnalyzerEnabled>
Whether or not the Ruby Bundle Audit Analyzer is enabled.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
bundleAuditAnalyzerEnabled
<bundleAuditPath>
Sets the path for the bundle-audit binary.
- Type:
java.lang.String
- Required:
No
- User Property:
bundleAuditPath
<bundleAuditWorkingDirectory>
Sets the path for the working directory that the bundle-audit binary should be executed from.
- Type:
java.lang.String
- Required:
No
- User Property:
bundleAuditWorkingDirectory
<carthageAnalyzerEnabled>
Whether or not the Carthage Analyzer is enabled.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
carthageAnalyzerEnabled
<centralAnalyzerEnabled>
Whether or not the Central Analyzer is enabled.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
centralAnalyzerEnabled
<centralAnalyzerUseCache>
Whether or not the Central Analyzer should use a local cache.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
centralAnalyzerUseCache
<cmakeAnalyzerEnabled>
Sets whether or not the CMake Analyzer should be used.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
cmakeAnalyzerEnabled
<cocoapodsAnalyzerEnabled>
Whether or not the CocoaPods Analyzer is enabled.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
cocoapodsAnalyzerEnabled
<composerAnalyzerEnabled>
Sets whether or not the PHP Composer Lock File Analyzer should be used.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
composerAnalyzerEnabled
<composerAnalyzerSkipDev>
Sets whether or not the PHP Composer Lock File Analyzer will scan "packages-dev".
- Type:
boolean
- Required:
No
- User Property:
composerAnalyzerSkipDev
<connectionString>
The database connection string.
- Type:
java.lang.String
- Required:
No
- User Property:
connectionString
<connectionTimeout>
The Connection Timeout.
- Type:
java.lang.String
- Required:
No
- User Property:
connectionTimeout
<cpanfileAnalyzerEnabled>
Whether or not the Perl CPAN File Analyzer is enabled.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
cpanfileAnalyzerEnabled
<dartAnalyzerEnabled>
Sets whether the Dart analyzer is enabled. Default is true.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
dartAnalyzerEnabled
<dataDirectory>
The data directory, hold DC SQL DB.
- Type:
java.lang.String
- Required:
No
- User Property:
dataDirectory
<databaseDriverName>
The database driver name. An example would be org.h2.Driver.
- Type:
java.lang.String
- Required:
No
- User Property:
databaseDriverName
<databaseDriverPath>
The path to the database driver if it is not on the class path.
- Type:
java.lang.String
- Required:
No
- User Property:
databaseDriverPath
<databasePassword>
The password to use when connecting to the database. The `serverId` should be used instead otherwise maven debug logging could expose the password.
- Type:
java.lang.String
- Required:
No
- User Property:
databasePassword
<databaseUser>
The database user name.
- Type:
java.lang.String
- Required:
No
- User Property:
databaseUser
<dbFilename>
The name of the DC DB.
- Type:
java.lang.String
- Required:
No
- User Property:
dbFilename
<enableExperimental>
Sets whether Experimental analyzers are enabled. Default is false.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
enableExperimental
<enableRetired>
Sets whether retired analyzers are enabled. Default is false.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
enableRetired
<excludes>
The list of artifacts (and their transitive dependencies) to exclude from the check.
- Type:
java.util.List<java.lang.String>
- Required:
No
- User Property:
odc.excludes
<failBuildOnAnyVulnerability>
Deprecated.
use
use
failBuildOnCVSS
with a value of 0 insteadFail the build if any dependency has a vulnerability listed.
- Type:
boolean
- Required:
Yes
- User Property:
failBuildOnAnyVulnerability
- Default:
false
<failBuildOnCVSS>
Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail.
- Type:
float
- Required:
Yes
- User Property:
failBuildOnCVSS
- Default:
11
<failOnError>
Sets whether or not the mojo should fail if an error occurs.
- Type:
boolean
- Required:
Yes
- User Property:
failOnError
- Default:
true
<format>
The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL). Multiple formats can be selected using a comma delineated list.
- Type:
java.lang.String
- Required:
Yes
- User Property:
format
- Default:
HTML
<formats>
The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL). Multiple formats can be selected using a comma delineated list.
- Type:
java.lang.String[]
- Required:
Yes
- User Property:
formats
<golangDepEnabled>
Sets whether the Golang Dependency analyzer is enabled. Default is true.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
golangDepEnabled
<golangModEnabled>
Sets whether Golang Module Analyzer is enabled; this requires `go` to be installed. Default is true.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
golangModEnabled
<hintsFile>
The path to the hints file.
- Type:
java.lang.String
- Required:
No
- User Property:
hintsFile
<hostedSuppressionsEnabled>
Whether the hosted suppressions file will be used.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
hostedSuppressionsEnabled
<hostedSuppressionsForceUpdate>
Whether the hosted suppressions file will be updated regardless of the `autoupdate` settings.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
hostedSuppressionsForceUpdate
<hostedSuppressionsUrl>
The hosted suppressions file URL.
- Type:
java.lang.String
- Required:
No
- User Property:
hostedSuppressionsUrl
<hostedSuppressionsValidForHours>
Skip excessive hosted suppression file update checks for a designated duration in hours (defaults to 2 hours).
- Type:
java.lang.Integer
- Required:
No
- User Property:
hostedSuppressionsValidForHours
<jarAnalyzerEnabled>
Whether or not the Jar Analyzer is enabled.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
jarAnalyzerEnabled
<junitFailOnCVSS>
Specifies the CVSS score that is considered a "test" failure when generating a jUnit style report. The default value is 0 - all vulnerabilities are considered a failure.
- Type:
float
- Required:
Yes
- User Property:
junitFailOnCVSS
- Default:
0
<knownExploitedEnabled>
Whether or not the Known Exploited Vulnerability Analyzer is enabled.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
knownExploitedEnabled
<knownExploitedUrl>
The URL to the CISA Known Exploited Vulnerabilities JSON datafeed.
- Type:
java.lang.String
- Required:
No
- User Property:
knownExploitedUrl
<libmanAnalyzerEnabled>
Whether or not the Libman Analyzer is enabled.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
libmanAnalyzerEnabled
<mavenInstallAnalyzerEnabled>
Sets whether or not the Maven install Analyzer should be used.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
mavenInstallAnalyzerEnabled
<mavenSettings>
The Maven settings.
- Type:
org.apache.maven.settings.Settings
- Required:
No
- User Property:
mavenSettings
- Default:
${settings}
<mavenSettingsProxyId>
The maven settings proxy id.
- Type:
java.lang.String
- Required:
No
- User Property:
mavenSettingsProxyId
<mixAuditAnalyzerEnabled>
Whether or not the Elixir Mix Audit Analyzer is enabled.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
mixAuditAnalyzerEnabled
<mixAuditPath>
Sets the path for the mix_audit binary.
- Type:
java.lang.String
- Required:
No
- User Property:
mixAuditPath
<msbuildAnalyzerEnabled>
Whether or not the MS Build Analyzer is enabled.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
msbuildAnalyzerEnabled
<name>
The name of the report in the site.
- Type:
java.lang.String
- Required:
Yes
- User Property:
name
- Default:
dependency-check:aggregate
<nexusAnalyzerEnabled>
Whether or not the Nexus Analyzer is enabled.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
nexusAnalyzerEnabled
<nexusServerId>
The id of a server defined in the settings.xml that configures the credentials (username and password) for a Nexus server's REST API end point. When not specified the communication with the Nexus server's REST API will be unauthenticated.
- Type:
java.lang.String
- Required:
No
- User Property:
nexusServerId
<nexusUrl>
The URL of a Nexus server's REST API end point (http://domain/nexus/service/local).
- Type:
java.lang.String
- Required:
No
- User Property:
nexusUrl
<nexusUsesProxy>
Whether or not the configured proxy is used to connect to Nexus.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
nexusUsesProxy
<nodeAnalyzerEnabled>
Sets whether or not the Node.js Analyzer should be used.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
nodeAnalyzerEnabled
<nodeAuditAnalyzerEnabled>
Sets whether or not the Node Audit Analyzer should be used.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
nodeAuditAnalyzerEnabled
<nodeAuditAnalyzerUrl>
The Node Audit API URL for the Node Audit Analyzer.
- Type:
java.lang.String
- Required:
No
- User Property:
nodeAuditAnalyzerUrl
<nodeAuditAnalyzerUseCache>
Sets whether or not the Node Audit Analyzer should use a local cache.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
nodeAuditAnalyzerUseCache
<nodeAuditSkipDevDependencies>
Sets whether or not the Node Audit Analyzer should skip devDependencies.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
nodeAuditSkipDevDependencies
<nodePackageSkipDevDependencies>
Sets whether or not the Node.js Analyzer should skip devDependencies.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
nodePackageSkipDevDependencies
<nugetconfAnalyzerEnabled>
Whether or not the .NET packages.config Analyzer is enabled.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
nugetconfAnalyzerEnabled
<nuspecAnalyzerEnabled>
Whether or not the .NET Nuspec Analyzer is enabled.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
nuspecAnalyzerEnabled
<nvdApiDelay>
The time in milliseconds to wait between downloading NVD API data.
- Type:
java.lang.Integer
- Required:
No
- User Property:
nvdApiDelay
<nvdApiEndpoint>
The NVD API Endpoint; setting this is uncommon.
- Type:
java.lang.String
- Required:
No
- User Property:
nvdApiEndpoint
<nvdApiKey>
The NVD API Key. The parameters
nvdApiKeyEnvironmentVariable
or nvdApiServerId
should be used instead otherwise Maven debug logging could expose the API Key (see GHSA-qqhq-8r2c-c3f5). This takes precedence over nvdApiServerId
and nvdApiKeyEnvironmentVariable
.- Type:
java.lang.String
- Required:
No
- User Property:
nvdApiKey
<nvdApiKeyEnvironmentVariable>
The environment variable from which to retrieve the API key for the NVD API. Takes precedence over
nvdApiServerId
but is potentially overwritten by nvdApiKey
. This is the recommended option to pass the API key in CI builds.- Type:
java.lang.String
- Required:
No
- User Property:
nvdApiKeyEnvironmentVariable
<nvdApiResultsPerPage>
The number records for a single page from NVD API (must be <=2000).
- Type:
java.lang.Integer
- Required:
No
- User Property:
nvdApiResultsPerPage
<nvdApiServerId>
The server id in the settings.xml; used to retrieve encrypted API Key from the settings.xml for the NVD API Key. Note that the password is used as the API Key. Is potentially overwritten by
nvdApiKeyEnvironmentVariable
or nvdApiKey
.- Type:
java.lang.String
- Required:
No
- User Property:
nvdApiServerId
<nvdDatafeedServerId>
The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml for the NVD Data Feed.
- Type:
java.lang.String
- Required:
No
- User Property:
nvdDatafeedServerId
<nvdDatafeedUrl>
The NVD API Data Feed URL.
- Type:
java.lang.String
- Required:
No
- User Property:
nvdDatafeedUrl
<nvdMaxRetryCount>
The maximum number of retry requests for a single call to the NVD API.
- Type:
java.lang.Integer
- Required:
No
- User Property:
nvdMaxRetryCount
<nvdPassword>
The password for basic auth to the NVD Data Feed.
- Type:
java.lang.String
- Required:
No
- User Property:
nvdPassword
<nvdUser>
The username for basic auth to the NVD Data Feed.
- Type:
java.lang.String
- Required:
No
- User Property:
nvdUser
<nvdValidForHours>
The number of hours to wait before checking for new updates from the NVD.
- Type:
java.lang.Integer
- Required:
No
- User Property:
nvdValidForHours
<opensslAnalyzerEnabled>
Sets whether or not the openssl Analyzer should be used.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
opensslAnalyzerEnabled
<ossIndexServerId>
The id of a server defined in the settings.xml that configures the credentials (username and password) for a OSS Index service.
- Type:
java.lang.String
- Required:
No
- User Property:
ossIndexServerId
<ossIndexWarnOnlyOnRemoteErrors>
Whether we should only warn about Sonatype OSS Index remote errors instead of failing the goal completely.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
ossIndexWarnOnlyOnRemoteErrors
<ossindexAnalyzerEnabled>
Whether or not the Sonatype OSS Index analyzer is enabled.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
ossindexAnalyzerEnabled
<ossindexAnalyzerUrl>
URL of the Sonatype OSS Index service.
- Type:
java.lang.String
- Required:
No
- User Property:
ossindexAnalyzerUrl
<ossindexAnalyzerUseCache>
Whether or not the Sonatype OSS Index analyzer should cache results.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
ossindexAnalyzerUseCache
<outputDirectory>
The output directory. This generally maps to "target".
- Type:
java.io.File
- Required:
Yes
- User Property:
odc.outputDirectory
- Default:
${project.build.directory}
<pathToCore>
The path to dotnet core.
- Type:
java.lang.String
- Required:
No
- User Property:
pathToCore
<pathToGo>
Sets the path to `go`.
- Type:
java.lang.String
- Required:
No
- User Property:
pathToGo
<pathToPnpm>
Sets the path to `pnpm`.
- Type:
java.lang.String
- Required:
No
- User Property:
pathToPnpm
<pathToYarn>
Sets the path to `yarn`.
- Type:
java.lang.String
- Required:
No
- User Property:
pathToYarn
<pipAnalyzerEnabled>
Sets whether or not the pip Analyzer should be used.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
pipAnalyzerEnabled
<pipfileAnalyzerEnabled>
Sets whether or not the pipfile Analyzer should be used.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
pipfileAnalyzerEnabled
<pnpmAuditAnalyzerEnabled>
Sets whether or not the Pnpm Audit Analyzer should be used.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
pnpmAuditAnalyzerEnabled
<poetryAnalyzerEnabled>
Sets whether or not the poetry Analyzer should be used.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
poetryAnalyzerEnabled
<prettyPrint>
Whether or not the XML and JSON report formats should be pretty printed. The default is false.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
prettyPrint
<proxy>
The proxy configuration.
- Type:
org.owasp.dependencycheck.maven.ProxyConfig
- Required:
No
<pyDistributionAnalyzerEnabled>
Sets whether the Python Distribution Analyzer will be used.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
pyDistributionAnalyzerEnabled
<pyPackageAnalyzerEnabled>
Sets whether the Python Package Analyzer will be used.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
pyPackageAnalyzerEnabled
<readTimeout>
The Read Timeout.
- Type:
java.lang.String
- Required:
No
- User Property:
readTimeout
<retireJsAnalyzerEnabled>
Sets whether or not the Retirejs Analyzer should be used.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
retireJsAnalyzerEnabled
<retireJsForceUpdate>
Whether the Retire JS repository will be updated regardless of the `autoupdate` settings.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
retireJsForceUpdate
<retireJsPassword>
The password to authenticate to the CVE-URL. The `retireJsUrlServerId` should be used instead otherwise maven debug logging could expose the password.
- Type:
java.lang.String
- Required:
No
- User Property:
retireJsPassword
<retireJsUrl>
The Retire JS repository URL.
- Type:
java.lang.String
- Required:
No
- User Property:
retireJsUrl
<retireJsUrlServerId>
The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml for cve-URLs.
- Type:
java.lang.String
- Required:
No
- User Property:
retireJsUrlServerId
<retireJsUser>
The username to use when connecting to the CVE-URL.
- Type:
java.lang.String
- Required:
No
- User Property:
retireJsUser
<retirejs>
The RetireJS Analyzer configuration:
filters: an array of filter patterns that are used to exclude JS files that contain a match filterNonVulnerable: a boolean that when true will remove non-vulnerable JS from the report Example: <retirejs> <filters> <filter>copyright 2018\(c\) Jeremy Long</filter> </filters> <filterNonVulnerable>true</filterNonVulnerable> </retirejs>
- Type:
org.owasp.dependencycheck.maven.Retirejs
- Required:
No
- User Property:
retirejs
<rubygemsAnalyzerEnabled>
Sets whether the Ruby Gemspec Analyzer will be used.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
rubygemsAnalyzerEnabled
<scanDependencies>
Whether the project's dependencies should also be scanned.
- Type:
boolean
- Required:
No
- User Property:
odc.dependencies.scan
- Default:
true
<scanDirectory>
A list of directories to scan. Note, this should only be used via the command line - if configuring the directories to scan consider using the `scanSet` instead.
- Type:
java.util.List<java.lang.String>
- Required:
No
- User Property:
scanDirectory
<scanPlugins>
Whether the project's plugins should also be scanned.
- Type:
boolean
- Required:
No
- User Property:
odc.plugins.scan
- Default:
false
<scanSet>
An collection of
fileSet
s that specify additional files and/or directories (from the basedir) to analyze as part of the scan. If not specified, defaults to Maven conventions of: src/main/resources, src/main/filters, and src/main/webapp. Note, this cannot be set via the command line - use `scanDirectory` instead.- Type:
java.util.List<org.apache.maven.shared.model.fileset.FileSet>
- Required:
No
<serverId>
The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml. This is used for the database username and password.
- Type:
java.lang.String
- Required:
No
- User Property:
serverId
<showSummary>
Flag indicating whether or not to show a summary in the output.
- Type:
boolean
- Required:
No
- User Property:
showSummary
- Default:
true
<skip>
Skip Dependency Check altogether.
- Type:
boolean
- Required:
No
- User Property:
dependency-check.skip
- Default:
false
<skipArtifactType>
Skip analysis for dependencies which type matches this regular expression. This filters on the `type` of dependency as defined in the dependency section: jar, pom, test-jar, etc.
- Type:
java.lang.String
- Required:
No
- User Property:
skipArtifactType
<skipDependencyManagement>
Skip Analysis for dependencyManagement section.
- Type:
boolean
- Required:
No
- User Property:
skipDependencyManagement
- Default:
true
<skipProvidedScope>
Skip Analysis for Provided Scope Dependencies.
- Type:
boolean
- Required:
No
- User Property:
skipProvidedScope
- Default:
false
<skipRuntimeScope>
Skip Analysis for Runtime Scope Dependencies.
- Type:
boolean
- Required:
No
- User Property:
skipRuntimeScope
- Default:
false
<skipSystemScope>
Skip Analysis for System Scope Dependencies.
- Type:
boolean
- Required:
No
- User Property:
skipSystemScope
- Default:
false
<skipTestScope>
Skip Analysis for Test Scope Dependencies.
- Type:
boolean
- Required:
No
- User Property:
skipTestScope
- Default:
true
<suppressionFile>
The paths to the suppression file. The parameter value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799)
- Type:
java.lang.String
- Required:
No
- User Property:
suppressionFile
<suppressionFilePassword>
The password used when connecting to the suppressionFiles. The `suppressionFileServerId` should be used instead otherwise maven debug logging could expose the password.
- Type:
java.lang.String
- Required:
No
- User Property:
suppressionFilePassword
<suppressionFileServerId>
The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml for suppressionFile(s).
- Type:
java.lang.String
- Required:
No
- User Property:
suppressionFileServerId
<suppressionFileUser>
The username used when connecting to the suppressionFiles.
- Type:
java.lang.String
- Required:
No
- User Property:
suppressionFileUser
<suppressionFiles>
The paths to the suppression files. The parameter value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799)
- Type:
java.lang.String[]
- Required:
No
- User Property:
suppressionFiles
<swiftPackageManagerAnalyzerEnabled>
Whether or not the Swift package Analyzer is enabled.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
swiftPackageManagerAnalyzerEnabled
<swiftPackageResolvedAnalyzerEnabled>
Whether or not the Swift package resolved Analyzer is enabled.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
swiftPackageResolvedAnalyzerEnabled
<versionCheckEnabled>
Sets whether dependency-check should check if there is a new version available.
- Type:
boolean
- Required:
No
- User Property:
versionCheckEnabled
- Default:
true
<virtualSnapshotsFromReactor>
Use pom dependency information for snapshot dependencies that are part of the Maven reactor while aggregate scanning a multi-module project.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
dependency-check.virtualSnapshotsFromReactor
- Default:
true
<yarnAuditAnalyzerEnabled>
Sets whether or not the Yarn Audit Analyzer should be used.
- Type:
java.lang.Boolean
- Required:
No
- User Property:
yarnAuditAnalyzerEnabled
<zipExtensions>
A comma-separated list of file extensions to add to analysis next to jar, zip, ....
- Type:
java.lang.String
- Required:
No
- User Property:
zipExtensions