Note:
This goal should be used as a Maven report.
Full name:
org.owasp:dependency-check-maven:9.1.0:check
Description:
Maven Plugin that checks the project dependencies to see if they have any known published vulnerabilities.
Attributes:
compile+runtime
.verify
.Name | Type | Since | Description |
---|---|---|---|
<failBuildOnAnyVulnerability> |
boolean |
- |
Deprecated. Fail the build if any dependency has a vulnerability listed. Default: false User Property: failBuildOnAnyVulnerability |
<failBuildOnCVSS> |
float |
- |
Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. Default: 11 User Property: failBuildOnCVSS |
<failOnError> |
boolean |
- |
Sets whether or not the mojo should fail if an error occurs. Default: true User Property: failOnError |
<format> |
String |
- |
The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL). Multiple formats can be selected using a comma delineated list. Default: HTML User Property: format |
<formats> |
String[] |
- |
The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL). Multiple formats can be selected using a comma delineated list. User Property: formats |
<junitFailOnCVSS> |
float |
- |
Specifies the CVSS score that is considered a "test" failure when generating a jUnit style report. The default value is 0 - all vulnerabilities are considered a failure. Default: 0 User Property: junitFailOnCVSS |
<name> |
String |
- |
The name of the report in the site. Default: dependency-check User Property: name |
<outputDirectory> |
File |
- |
The output directory. This generally maps to "target". Default: ${project.build.directory} User Property: odc.outputDirectory |
Name | Type | Since | Description |
---|---|---|---|
<archiveAnalyzerEnabled> |
Boolean |
- |
Whether or not the Archive Analyzer is enabled. User Property: archiveAnalyzerEnabled |
<artifactoryAnalyzerApiToken> |
String |
- |
The API token to connect to Artifactory instance User Property: artifactoryAnalyzerApiToken |
<artifactoryAnalyzerBearerToken> |
String |
- |
The bearer token to connect to Artifactory instance User Property: artifactoryAnalyzerBearerToken |
<artifactoryAnalyzerEnabled> |
Boolean |
- |
Whether or not the Artifactory Analyzer is enabled. User Property: artifactoryAnalyzerEnabled |
<artifactoryAnalyzerParallelAnalysis> |
Boolean |
- |
Whether the Artifactory analyzer should be run in parallel or not. Default: true User Property: artifactoryAnalyzerParallelAnalysis |
<artifactoryAnalyzerServerId> |
String |
- |
The serverId inside the settings.xml containing the username and token to access artifactory User Property: artifactoryAnalyzerServerId |
<artifactoryAnalyzerUrl> |
String |
- |
The Artifactory URL for the Artifactory analyzer. User Property: artifactoryAnalyzerUrl |
<artifactoryAnalyzerUseProxy> |
Boolean |
- |
Whether Artifactory should be accessed through a proxy or not User Property: artifactoryAnalyzerUseProxy |
<artifactoryAnalyzerUsername> |
String |
- |
The username (only used with API token) to connect to Artifactory instance User Property: artifactoryAnalyzerUsername |
<assemblyAnalyzerEnabled> |
Boolean |
- |
Whether or not the .NET Assembly Analyzer is enabled. User Property: assemblyAnalyzerEnabled |
<autoconfAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the autoconf Analyzer should be used. User Property: autoconfAnalyzerEnabled |
<autoUpdate> |
Boolean |
- |
Sets whether auto-updating of the NVD CVE data is enabled. It is not recommended that this be turned to false. Default is true. User Property: autoUpdate |
<bundleAuditAnalyzerEnabled> |
Boolean |
- |
Whether or not the Ruby Bundle Audit Analyzer is enabled. User Property: bundleAuditAnalyzerEnabled |
<bundleAuditPath> |
String |
- |
Sets the path for the bundle-audit binary. User Property: bundleAuditPath |
<bundleAuditWorkingDirectory> |
String |
- |
Sets the path for the working directory that the bundle-audit binary should be executed from. User Property: bundleAuditWorkingDirectory |
<centralAnalyzerEnabled> |
Boolean |
- |
Whether or not the Central Analyzer is enabled. User Property: centralAnalyzerEnabled |
<centralAnalyzerUseCache> |
Boolean |
- |
Whether or not the Central Analyzer should use a local cache. User Property: centralAnalyzerUseCache |
<cmakeAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the CMake Analyzer should be used. User Property: cmakeAnalyzerEnabled |
<cocoapodsAnalyzerEnabled> |
Boolean |
- |
Whether or not the CocoaPods Analyzer is enabled. User Property: cocoapodsAnalyzerEnabled |
<composerAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the PHP Composer Lock File Analyzer should be used. User Property: composerAnalyzerEnabled |
<connectionString> |
String |
- |
The database connection string. User Property: connectionString |
<connectionTimeout> |
String |
- |
The Connection Timeout. User Property: connectionTimeout |
<cpanfileAnalyzerEnabled> |
Boolean |
- |
Whether or not the Perl CPAN File Analyzer is enabled. User Property: cpanfileAnalyzerEnabled |
<dartAnalyzerEnabled> |
Boolean |
- |
Sets whether the Dart analyzer is enabled. Default is true. User Property: dartAnalyzerEnabled |
<databaseDriverName> |
String |
- |
The database driver name. An example would be org.h2.Driver. User Property: databaseDriverName |
<databaseDriverPath> |
String |
- |
The path to the database driver if it is not on the class path. User Property: databaseDriverPath |
<databasePassword> |
String |
- |
The password to use when connecting to the database. The `serverId` should be used instead otherwise maven debug logging could expose the password. User Property: databasePassword |
<databaseUser> |
String |
- |
The database user name. User Property: databaseUser |
<dataDirectory> |
String |
- |
The data directory, hold DC SQL DB. User Property: dataDirectory |
<dbFilename> |
String |
- |
The name of the DC DB. User Property: dbFilename |
<enableExperimental> |
Boolean |
- |
Sets whether Experimental analyzers are enabled. Default is false. User Property: enableExperimental |
<enableRetired> |
Boolean |
- |
Sets whether retired analyzers are enabled. Default is false. User Property: enableRetired |
<excludes> |
List<String> |
- |
The list of artifacts (and their transitive dependencies) to exclude from the check. User Property: odc.excludes |
<golangDepEnabled> |
Boolean |
- |
Sets whether the Golang Dependency analyzer is enabled. Default is true. User Property: golangDepEnabled |
<golangModEnabled> |
Boolean |
- |
Sets whether Golang Module Analyzer is enabled; this requires `go` to be installed. Default is true. User Property: golangModEnabled |
<hintsFile> |
String |
- |
The path to the hints file. User Property: hintsFile |
<hostedSuppressionsEnabled> |
Boolean |
- |
Whether the hosted suppressions file will be used. User Property: hostedSuppressionsEnabled |
<hostedSuppressionsForceUpdate> |
Boolean |
- |
Whether the hosted suppressions file will be updated regardless of the `autoupdate` settings. User Property: hostedSuppressionsForceUpdate |
<hostedSuppressionsUrl> |
String |
- |
The hosted suppressions file URL. User Property: hostedSuppressionsUrl |
<hostedSuppressionsValidForHours> |
Integer |
- |
Skip excessive hosted suppression file update checks for a designated duration in hours (defaults to 2 hours). User Property: hostedSuppressionsValidForHours |
<jarAnalyzerEnabled> |
Boolean |
- |
Whether or not the Jar Analyzer is enabled. User Property: jarAnalyzerEnabled |
<knownExploitedEnabled> |
Boolean |
- |
Whether or not the Known Exploited Vulnerability Analyzer is enabled. User Property: knownExploitedEnabled |
<knownExploitedUrl> |
String |
- |
The URL to the CISA Known Exploited Vulnerabilities JSON datafeed. User Property: knownExploitedUrl |
<libmanAnalyzerEnabled> |
Boolean |
- |
Whether or not the Libman Analyzer is enabled. User Property: libmanAnalyzerEnabled |
<mavenInstallAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the Maven install Analyzer should be used. User Property: mavenInstallAnalyzerEnabled |
<mavenSettings> |
Settings |
- |
The Maven settings. Default: ${settings} User Property: mavenSettings |
<mavenSettingsProxyId> |
String |
- |
The maven settings proxy id. User Property: mavenSettingsProxyId |
<mixAuditAnalyzerEnabled> |
Boolean |
- |
Whether or not the Elixir Mix Audit Analyzer is enabled. User Property: mixAuditAnalyzerEnabled |
<mixAuditPath> |
String |
- |
Sets the path for the mix_audit binary. User Property: mixAuditPath |
<msbuildAnalyzerEnabled> |
Boolean |
- |
Whether or not the MS Build Analyzer is enabled. User Property: msbuildAnalyzerEnabled |
<nexusAnalyzerEnabled> |
Boolean |
- |
Whether or not the Nexus Analyzer is enabled. User Property: nexusAnalyzerEnabled |
<nexusServerId> |
String |
- |
The id of a server defined in the settings.xml that configures the credentials (username and password) for a Nexus server's REST API end point. When not specified the communication with the Nexus server's REST API will be unauthenticated. User Property: nexusServerId |
<nexusUrl> |
String |
- |
The URL of a Nexus server's REST API end point (http://domain/nexus/service/local). User Property: nexusUrl |
<nexusUsesProxy> |
Boolean |
- |
Whether or not the configured proxy is used to connect to Nexus. User Property: nexusUsesProxy |
<nodeAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the Node.js Analyzer should be used. User Property: nodeAnalyzerEnabled |
<nodeAuditAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the Node Audit Analyzer should be used. User Property: nodeAuditAnalyzerEnabled |
<nodeAuditAnalyzerUrl> |
String |
- |
The Node Audit API URL for the Node Audit Analyzer. User Property: nodeAuditAnalyzerUrl |
<nodeAuditAnalyzerUseCache> |
Boolean |
- |
Sets whether or not the Node Audit Analyzer should use a local cache. User Property: nodeAuditAnalyzerUseCache |
<nodeAuditSkipDevDependencies> |
Boolean |
- |
Sets whether or not the Node Audit Analyzer should skip devDependencies. User Property: nodeAuditSkipDevDependencies |
<nodePackageSkipDevDependencies> |
Boolean |
- |
Sets whether or not the Node.js Analyzer should skip devDependencies. User Property: nodePackageSkipDevDependencies |
<nugetconfAnalyzerEnabled> |
Boolean |
- |
Whether or not the .NET packages.config Analyzer is enabled. User Property: nugetconfAnalyzerEnabled |
<nuspecAnalyzerEnabled> |
Boolean |
- |
Whether or not the .NET Nuspec Analyzer is enabled. User Property: nuspecAnalyzerEnabled |
<nvdApiDelay> |
Integer |
- |
The time in milliseconds to wait between downloading NVD API data. User Property: nvdApiDelay |
<nvdApiEndpoint> |
String |
- |
The NVD API Endpoint; setting this is uncommon. User Property: nvdApiEndpoint |
<nvdApiKey> |
String |
- |
The NVD API Key. The parameters nvdApiKeyEnvironmentVariable or nvdApiServerId should be used instead otherwise Maven debug logging could expose the API Key (see GHSA-qqhq-8r2c-c3f5). This takes precedence over nvdApiServerId and nvdApiKeyEnvironmentVariable .User Property: nvdApiKey |
<nvdApiKeyEnvironmentVariable> |
String |
- |
The environment variable from which to retrieve the API key for the NVD API. Takes precedence over nvdApiServerId but is potentially overwritten by nvdApiKey . This is the recommended option to pass the API key in CI builds.User Property: nvdApiKeyEnvironmentVariable |
<nvdApiServerId> |
String |
- |
The server id in the settings.xml; used to retrieve encrypted API Key from the settings.xml for the NVD API Key. Note that the password is used as the API Key. Is potentially overwritten by nvdApiKeyEnvironmentVariable or nvdApiKey .User Property: nvdApiServerId |
<nvdDatafeedServerId> |
String |
- |
The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml for the NVD Data Feed. User Property: nvdDatafeedServerId |
<nvdDatafeedUrl> |
String |
- |
The NVD API Data Feed URL. User Property: nvdDatafeedUrl |
<nvdMaxRetryCount> |
Integer |
- |
The maximum number of retry requests for a single call to the NVD API. User Property: nvdMaxRetryCount |
<nvdPassword> |
String |
- |
The password for basic auth to the NVD Data Feed. User Property: nvdPassword |
<nvdUser> |
String |
- |
The username for basic auth to the NVD Data Feed. User Property: nvdUser |
<nvdValidForHours> |
Integer |
- |
The number of hours to wait before checking for new updates from the NVD. User Property: nvdValidForHours |
<opensslAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the openssl Analyzer should be used. User Property: opensslAnalyzerEnabled |
<ossindexAnalyzerEnabled> |
Boolean |
- |
Whether or not the Sonatype OSS Index analyzer is enabled. User Property: ossindexAnalyzerEnabled |
<ossindexAnalyzerUrl> |
String |
- |
URL of the Sonatype OSS Index service. User Property: ossindexAnalyzerUrl |
<ossindexAnalyzerUseCache> |
Boolean |
- |
Whether or not the Sonatype OSS Index analyzer should cache results. User Property: ossindexAnalyzerUseCache |
<ossIndexServerId> |
String |
- |
The id of a server defined in the settings.xml that configures the credentials (username and password) for a OSS Index service. User Property: ossIndexServerId |
<ossIndexWarnOnlyOnRemoteErrors> |
Boolean |
- |
Whether we should only warn about Sonatype OSS Index remote errors instead of failing the goal completely. User Property: ossIndexWarnOnlyOnRemoteErrors |
<pathToCore> |
String |
- |
The path to dotnet core. User Property: pathToCore |
<pathToGo> |
String |
- |
Sets the path to `go`. User Property: pathToGo |
<pathToPnpm> |
String |
- |
Sets the path to `pnpm`. User Property: pathToPnpm |
<pathToYarn> |
String |
- |
Sets the path to `yarn`. User Property: pathToYarn |
<pipAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the pip Analyzer should be used. User Property: pipAnalyzerEnabled |
<pipfileAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the pipfile Analyzer should be used. User Property: pipfileAnalyzerEnabled |
<pnpmAuditAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the Pnpm Audit Analyzer should be used. User Property: pnpmAuditAnalyzerEnabled |
<poetryAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the poetry Analyzer should be used. User Property: poetryAnalyzerEnabled |
<prettyPrint> |
Boolean |
- |
Whether or not the XML and JSON report formats should be pretty printed. The default is false. User Property: prettyPrint |
<proxy> |
ProxyConfig |
- |
The proxy configuration. |
<pyDistributionAnalyzerEnabled> |
Boolean |
- |
Sets whether the Python Distribution Analyzer will be used. User Property: pyDistributionAnalyzerEnabled |
<pyPackageAnalyzerEnabled> |
Boolean |
- |
Sets whether the Python Package Analyzer will be used. User Property: pyPackageAnalyzerEnabled |
<readTimeout> |
String |
- |
The Read Timeout. User Property: readTimeout |
<retirejs> |
Retirejs |
- |
The RetireJS Analyzer configuration:
filters: an array of filter patterns that are used to exclude JS files that contain a match filterNonVulnerable: a boolean that when true will remove non-vulnerable JS from the report Example: <retirejs> <filters> <filter>copyright 2018\(c\) Jeremy Long</filter> </filters> <filterNonVulnerable>true</filterNonVulnerable> </retirejs> User Property: retirejs |
<retireJsAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the Retirejs Analyzer should be used. User Property: retireJsAnalyzerEnabled |
<retireJsForceUpdate> |
Boolean |
- |
Whether the Retire JS repository will be updated regardless of the `autoupdate` settings. User Property: retireJsForceUpdate |
<retireJsPassword> |
String |
- |
The password to authenticate to the CVE-URL. The `retireJsUrlServerId` should be used instead otherwise maven debug logging could expose the password. User Property: retireJsPassword |
<retireJsUrl> |
String |
- |
The Retire JS repository URL. User Property: retireJsUrl |
<retireJsUrlServerId> |
String |
- |
The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml for cve-URLs. User Property: retireJsUrlServerId |
<retireJsUser> |
String |
- |
The username to use when connecting to the CVE-URL. User Property: retireJsUser |
<rubygemsAnalyzerEnabled> |
Boolean |
- |
Sets whether the Ruby Gemspec Analyzer will be used. User Property: rubygemsAnalyzerEnabled |
<scanDependencies> |
boolean |
- |
Whether the project's dependencies should also be scanned. Default: true User Property: odc.dependencies.scan |
<scanDirectory> |
List<String> |
- |
A list of directories to scan. Note, this should only be used via the command line - if configuring the directories to scan consider using the `scanSet` instead. User Property: scanDirectory |
<scanPlugins> |
boolean |
- |
Whether the project's plugins should also be scanned. Default: false User Property: odc.plugins.scan |
<scanSet> |
List<FileSet> |
- |
An collection of fileSet s that specify additional files and/or directories (from the basedir) to analyze as part of the scan. If not specified, defaults to Maven conventions of: src/main/resources, src/main/filters, and src/main/webapp. Note, this cannot be set via the command line - use `scanDirectory` instead. |
<serverId> |
String |
- |
The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml. This is used for the database username and password. User Property: serverId |
<showSummary> |
boolean |
- |
Flag indicating whether or not to show a summary in the output. Default: true User Property: showSummary |
<skip> |
boolean |
- |
Skip Dependency Check altogether. Default: false User Property: dependency-check.skip |
<skipArtifactType> |
String |
- |
Skip analysis for dependencies which type matches this regular expression. This filters on the `type` of dependency as defined in the dependency section: jar, pom, test-jar, etc. User Property: skipArtifactType |
<skipDependencyManagement> |
boolean |
- |
Skip Analysis for dependencyManagement section. Default: true User Property: skipDependencyManagement |
<skipProvidedScope> |
boolean |
- |
Skip Analysis for Provided Scope Dependencies. Default: false User Property: skipProvidedScope |
<skipRuntimeScope> |
boolean |
- |
Skip Analysis for Runtime Scope Dependencies. Default: false User Property: skipRuntimeScope |
<skipSystemScope> |
boolean |
- |
Skip Analysis for System Scope Dependencies. Default: false User Property: skipSystemScope |
<skipTestScope> |
boolean |
- |
Skip Analysis for Test Scope Dependencies. Default: true User Property: skipTestScope |
<suppressionFile> |
String |
- |
The paths to the suppression file. The parameter value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799) User Property: suppressionFile |
<suppressionFilePassword> |
String |
- |
The password used when connecting to the suppressionFiles. The `suppressionFileServerId` should be used instead otherwise maven debug logging could expose the password. User Property: suppressionFilePassword |
<suppressionFiles> |
String[] |
- |
The paths to the suppression files. The parameter value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799) User Property: suppressionFiles |
<suppressionFileServerId> |
String |
- |
The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml for suppressionFile(s). User Property: suppressionFileServerId |
<suppressionFileUser> |
String |
- |
The username used when connecting to the suppressionFiles. User Property: suppressionFileUser |
<swiftPackageManagerAnalyzerEnabled> |
Boolean |
- |
Whether or not the Swift package Analyzer is enabled. User Property: swiftPackageManagerAnalyzerEnabled |
<swiftPackageResolvedAnalyzerEnabled> |
Boolean |
- |
Whether or not the Swift package resolved Analyzer is enabled. User Property: swiftPackageResolvedAnalyzerEnabled |
<versionCheckEnabled> |
boolean |
- |
Sets whether dependency-check should check if there is a new version available. Default: true User Property: versionCheckEnabled |
<virtualSnapshotsFromReactor> |
Boolean |
- |
Use pom dependency information for snapshot dependencies that are part of the Maven reactor while aggregate scanning a multi-module project. Default: true User Property: dependency-check.virtualSnapshotsFromReactor |
<yarnAuditAnalyzerEnabled> |
Boolean |
- |
Sets whether or not the Yarn Audit Analyzer should be used. User Property: yarnAuditAnalyzerEnabled |
<zipExtensions> |
String |
- |
A comma-separated list of file extensions to add to analysis next to jar, zip, .... User Property: zipExtensions |
java.lang.Boolean
report.plugin.goal.no
archiveAnalyzerEnabled
java.lang.String
report.plugin.goal.no
artifactoryAnalyzerApiToken
java.lang.String
report.plugin.goal.no
artifactoryAnalyzerBearerToken
java.lang.Boolean
report.plugin.goal.no
artifactoryAnalyzerEnabled
java.lang.Boolean
report.plugin.goal.no
artifactoryAnalyzerParallelAnalysis
true
java.lang.String
report.plugin.goal.no
artifactoryAnalyzerServerId
java.lang.String
report.plugin.goal.no
artifactoryAnalyzerUrl
java.lang.Boolean
report.plugin.goal.no
artifactoryAnalyzerUseProxy
java.lang.String
report.plugin.goal.no
artifactoryAnalyzerUsername
java.lang.Boolean
report.plugin.goal.no
assemblyAnalyzerEnabled
java.lang.Boolean
report.plugin.goal.no
autoconfAnalyzerEnabled
java.lang.Boolean
report.plugin.goal.no
autoUpdate
java.lang.Boolean
report.plugin.goal.no
bundleAuditAnalyzerEnabled
java.lang.String
report.plugin.goal.no
bundleAuditPath
java.lang.String
report.plugin.goal.no
bundleAuditWorkingDirectory
java.lang.Boolean
report.plugin.goal.no
centralAnalyzerEnabled
java.lang.Boolean
report.plugin.goal.no
centralAnalyzerUseCache
java.lang.Boolean
report.plugin.goal.no
cmakeAnalyzerEnabled
java.lang.Boolean
report.plugin.goal.no
cocoapodsAnalyzerEnabled
java.lang.Boolean
report.plugin.goal.no
composerAnalyzerEnabled
java.lang.String
report.plugin.goal.no
connectionString
java.lang.String
report.plugin.goal.no
connectionTimeout
java.lang.Boolean
report.plugin.goal.no
cpanfileAnalyzerEnabled
java.lang.Boolean
report.plugin.goal.no
dartAnalyzerEnabled
java.lang.String
report.plugin.goal.no
databaseDriverName
java.lang.String
report.plugin.goal.no
databaseDriverPath
java.lang.String
report.plugin.goal.no
databasePassword
java.lang.String
report.plugin.goal.no
databaseUser
java.lang.String
report.plugin.goal.no
dataDirectory
java.lang.String
report.plugin.goal.no
dbFilename
java.lang.Boolean
report.plugin.goal.no
enableExperimental
java.lang.Boolean
report.plugin.goal.no
enableRetired
java.util.List<java.lang.String>
report.plugin.goal.no
odc.excludes
failBuildOnCVSS
with a value of 0 insteadboolean
report.plugin.goal.yes
failBuildOnAnyVulnerability
false
float
report.plugin.goal.yes
failBuildOnCVSS
11
boolean
report.plugin.goal.yes
failOnError
true
java.lang.String
report.plugin.goal.yes
format
HTML
java.lang.String[]
report.plugin.goal.yes
formats
java.lang.Boolean
report.plugin.goal.no
golangDepEnabled
java.lang.Boolean
report.plugin.goal.no
golangModEnabled
java.lang.String
report.plugin.goal.no
hintsFile
java.lang.Boolean
report.plugin.goal.no
hostedSuppressionsEnabled
java.lang.Boolean
report.plugin.goal.no
hostedSuppressionsForceUpdate
java.lang.String
report.plugin.goal.no
hostedSuppressionsUrl
java.lang.Integer
report.plugin.goal.no
hostedSuppressionsValidForHours
java.lang.Boolean
report.plugin.goal.no
jarAnalyzerEnabled
float
report.plugin.goal.yes
junitFailOnCVSS
0
java.lang.Boolean
report.plugin.goal.no
knownExploitedEnabled
java.lang.String
report.plugin.goal.no
knownExploitedUrl
java.lang.Boolean
report.plugin.goal.no
libmanAnalyzerEnabled
java.lang.Boolean
report.plugin.goal.no
mavenInstallAnalyzerEnabled
org.apache.maven.settings.Settings
report.plugin.goal.no
mavenSettings
${settings}
java.lang.String
report.plugin.goal.no
mavenSettingsProxyId
java.lang.Boolean
report.plugin.goal.no
mixAuditAnalyzerEnabled
java.lang.String
report.plugin.goal.no
mixAuditPath
java.lang.Boolean
report.plugin.goal.no
msbuildAnalyzerEnabled
java.lang.String
report.plugin.goal.yes
name
dependency-check
java.lang.Boolean
report.plugin.goal.no
nexusAnalyzerEnabled
java.lang.String
report.plugin.goal.no
nexusServerId
java.lang.String
report.plugin.goal.no
nexusUrl
java.lang.Boolean
report.plugin.goal.no
nexusUsesProxy
java.lang.Boolean
report.plugin.goal.no
nodeAnalyzerEnabled
java.lang.Boolean
report.plugin.goal.no
nodeAuditAnalyzerEnabled
java.lang.String
report.plugin.goal.no
nodeAuditAnalyzerUrl
java.lang.Boolean
report.plugin.goal.no
nodeAuditAnalyzerUseCache
java.lang.Boolean
report.plugin.goal.no
nodeAuditSkipDevDependencies
java.lang.Boolean
report.plugin.goal.no
nodePackageSkipDevDependencies
java.lang.Boolean
report.plugin.goal.no
nugetconfAnalyzerEnabled
java.lang.Boolean
report.plugin.goal.no
nuspecAnalyzerEnabled
java.lang.Integer
report.plugin.goal.no
nvdApiDelay
java.lang.String
report.plugin.goal.no
nvdApiEndpoint
nvdApiKeyEnvironmentVariable
or nvdApiServerId
should be used instead otherwise Maven debug logging could expose the API Key (see GHSA-qqhq-8r2c-c3f5). This takes precedence over nvdApiServerId
and nvdApiKeyEnvironmentVariable
.java.lang.String
report.plugin.goal.no
nvdApiKey
nvdApiServerId
but is potentially overwritten by nvdApiKey
. This is the recommended option to pass the API key in CI builds.java.lang.String
report.plugin.goal.no
nvdApiKeyEnvironmentVariable
nvdApiKeyEnvironmentVariable
or nvdApiKey
.java.lang.String
report.plugin.goal.no
nvdApiServerId
java.lang.String
report.plugin.goal.no
nvdDatafeedServerId
java.lang.String
report.plugin.goal.no
nvdDatafeedUrl
java.lang.Integer
report.plugin.goal.no
nvdMaxRetryCount
java.lang.String
report.plugin.goal.no
nvdPassword
java.lang.String
report.plugin.goal.no
nvdUser
java.lang.Integer
report.plugin.goal.no
nvdValidForHours
java.lang.Boolean
report.plugin.goal.no
opensslAnalyzerEnabled
java.lang.Boolean
report.plugin.goal.no
ossindexAnalyzerEnabled
java.lang.String
report.plugin.goal.no
ossindexAnalyzerUrl
java.lang.Boolean
report.plugin.goal.no
ossindexAnalyzerUseCache
java.lang.String
report.plugin.goal.no
ossIndexServerId
java.lang.Boolean
report.plugin.goal.no
ossIndexWarnOnlyOnRemoteErrors
java.io.File
report.plugin.goal.yes
odc.outputDirectory
${project.build.directory}
java.lang.String
report.plugin.goal.no
pathToCore
java.lang.String
report.plugin.goal.no
pathToGo
java.lang.String
report.plugin.goal.no
pathToPnpm
java.lang.String
report.plugin.goal.no
pathToYarn
java.lang.Boolean
report.plugin.goal.no
pipAnalyzerEnabled
java.lang.Boolean
report.plugin.goal.no
pipfileAnalyzerEnabled
java.lang.Boolean
report.plugin.goal.no
pnpmAuditAnalyzerEnabled
java.lang.Boolean
report.plugin.goal.no
poetryAnalyzerEnabled
java.lang.Boolean
report.plugin.goal.no
prettyPrint
org.owasp.dependencycheck.maven.ProxyConfig
report.plugin.goal.no
java.lang.Boolean
report.plugin.goal.no
pyDistributionAnalyzerEnabled
java.lang.Boolean
report.plugin.goal.no
pyPackageAnalyzerEnabled
java.lang.String
report.plugin.goal.no
readTimeout
filters: an array of filter patterns that are used to exclude JS files that contain a match filterNonVulnerable: a boolean that when true will remove non-vulnerable JS from the report Example: <retirejs> <filters> <filter>copyright 2018\(c\) Jeremy Long</filter> </filters> <filterNonVulnerable>true</filterNonVulnerable> </retirejs>
org.owasp.dependencycheck.maven.Retirejs
report.plugin.goal.no
retirejs
java.lang.Boolean
report.plugin.goal.no
retireJsAnalyzerEnabled
java.lang.Boolean
report.plugin.goal.no
retireJsForceUpdate
java.lang.String
report.plugin.goal.no
retireJsPassword
java.lang.String
report.plugin.goal.no
retireJsUrl
java.lang.String
report.plugin.goal.no
retireJsUrlServerId
java.lang.String
report.plugin.goal.no
retireJsUser
java.lang.Boolean
report.plugin.goal.no
rubygemsAnalyzerEnabled
boolean
report.plugin.goal.no
odc.dependencies.scan
true
java.util.List<java.lang.String>
report.plugin.goal.no
scanDirectory
boolean
report.plugin.goal.no
odc.plugins.scan
false
fileSet
s that specify additional files and/or directories (from the basedir) to analyze as part of the scan. If not specified, defaults to Maven conventions of: src/main/resources, src/main/filters, and src/main/webapp. Note, this cannot be set via the command line - use `scanDirectory` instead.java.util.List<org.apache.maven.shared.model.fileset.FileSet>
report.plugin.goal.no
java.lang.String
report.plugin.goal.no
serverId
boolean
report.plugin.goal.no
showSummary
true
boolean
report.plugin.goal.no
dependency-check.skip
false
java.lang.String
report.plugin.goal.no
skipArtifactType
boolean
report.plugin.goal.no
skipDependencyManagement
true
boolean
report.plugin.goal.no
skipProvidedScope
false
boolean
report.plugin.goal.no
skipRuntimeScope
false
boolean
report.plugin.goal.no
skipSystemScope
false
boolean
report.plugin.goal.no
skipTestScope
true
java.lang.String
report.plugin.goal.no
suppressionFile
java.lang.String
report.plugin.goal.no
suppressionFilePassword
java.lang.String[]
report.plugin.goal.no
suppressionFiles
java.lang.String
report.plugin.goal.no
suppressionFileServerId
java.lang.String
report.plugin.goal.no
suppressionFileUser
java.lang.Boolean
report.plugin.goal.no
swiftPackageManagerAnalyzerEnabled
java.lang.Boolean
report.plugin.goal.no
swiftPackageResolvedAnalyzerEnabled
boolean
report.plugin.goal.no
versionCheckEnabled
true
java.lang.Boolean
report.plugin.goal.no
dependency-check.virtualSnapshotsFromReactor
true
java.lang.Boolean
report.plugin.goal.no
yarnAuditAnalyzerEnabled
java.lang.String
report.plugin.goal.no
zipExtensions