OWASP Dependency-Check
What is OWASP Dependency-Check?
OWASP Dependency-CheckAn open-source software composition analysis tool from OWASP that scans project dependencies and reports known vulnerabilities by matching CPEs to CVE data.
OWASP Dependency-Check is a free software composition analysis (SCA) tool that identifies publicly disclosed vulnerabilities in a project's third-party dependencies. It analyzes Java, .NET, Node.js, Python, Ruby, PHP, and other ecosystems by extracting evidence from files and mapping artifacts to Common Platform Enumeration (CPE) identifiers, then cross-referencing against the National Vulnerability Database (NVD), GitHub Advisories, and other feeds. It runs as a CLI, Maven, Gradle, Jenkins, GitHub Action, or Docker image, producing HTML, JSON, JUnit, and SARIF reports for CI/CD pipelines. Teams use it alongside SAST and DAST to enforce baseline SBOM hygiene and to evidence due diligence for supply-chain risk management.
● Examples
- 01
Failing a Jenkins build when Dependency-Check reports a CVSS 9.0+ vulnerability in a Maven dependency.
- 02
Exporting Dependency-Check SARIF results to the GitHub Security tab for centralized triage.
● Frequently asked questions
What is OWASP Dependency-Check?
An open-source software composition analysis tool from OWASP that scans project dependencies and reports known vulnerabilities by matching CPEs to CVE data. It belongs to the Compliance & Frameworks category of cybersecurity.
What does OWASP Dependency-Check mean?
An open-source software composition analysis tool from OWASP that scans project dependencies and reports known vulnerabilities by matching CPEs to CVE data.
How do you defend against OWASP Dependency-Check?
Defences for OWASP Dependency-Check typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for OWASP Dependency-Check?
Common alternative names include: Dependency-Check, OWASP DC.