Projects/OWASP Dependency Check

Revision as of 14:41, 27 February 2013 by Samantha Groves (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
What does this OWASP project offer you?
What releases are available for this project?
what is this project?
Name: OWASP Dependency Check (home page)
Purpose: DependencyCheck is a utility that attempts to detect publicly disclosed

vulnerabilities contained within a Java projects dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.

License: GNU GPL v3 License
who is working on this project?
Project Leader(s):
  • Jeremy Long @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact Jeremy Long @ to contribute to this project
  • Contact Jeremy Long @ to review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Flagship big.jpg

OWASP Dependency-Check

Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently Java, .NET, Ruby, Node.js, and Python projects are supported; additionally, limited support for C/C++ projects is available for projects using CMake or autoconf. This tool can be part of a solution to the OWASP Top 10 2013 A9 - Using Components with Known Vulnerabilities.


The OWASP Top 10 2013 contains a new entry: A9 - Using Components with Known Vulnerabilities. Dependency-check can currently be used to scan applications (and their dependent libraries) to identify any known vulnerable components.

The problem with using known vulnerable components was described very well in a paper by Jeff Williams and Arshan Dabirsiaghi titled, "The Unfortunate Reality of Insecure Libraries" (registration required). The gist of the paper is that we as a development community include third party libraries in our applications that contain well known published vulnerabilities (such as those at the National Vulnerability Database).

Dependency-check has a command line interface, a Maven plugin, an Ant task, and a Jenkins plugin. The core engine contains a series of analyzers that inspect the project dependencies, collect pieces of information about the dependencies (referred to as evidence within the tool). The evidence is then used to identify the Common Platform Enumeration (CPE) for the given dependency. If a CPE is identified, a listing of associated Common Vulnerability and Exposure (CVE) entries are listed in a report.

Dependency-check automatically updates itself using the NVD Data Feeds hosted by NIST. IMPORTANT NOTE: The initial download of the data may take ten minutes or more, if you run the tool at least once every seven days only a small XML file needs to be downloaded to keep the local copy of the data current.

Quick Download

Version 1.3.4




Mailing List



Owasp-incubator-trans-85.png Owasp-builders-small.png
Project Type Files CODE.jpg


Dependency-Check is developed by a team of volunteers. The primary contributors to date have been:

As of March 2015, the top priorities are:

Involvement in the development and promotion of dependency-check is actively encouraged! You do not have to be a security expert in order to contribute. How you can help:

  • Use the tool
  • Provide feedback via the mailing list or by creating github issues (both bugs and feature requests are encouraged)
  • The project source code is hosted on github - if you are so inclined fork it and provide push requests!

last reviewed release
Not Yet Reviewed

other releases