OWASP Dependency-Check
What is OWASP Dependency-Check?
OWASP Dependency-CheckAn open-source software composition analysis tool from OWASP that scans project dependencies and reports known vulnerabilities by matching CPEs to CVE data.
OWASP Dependency-Check is a free software composition analysis (SCA) tool that identifies publicly disclosed vulnerabilities in a project's third-party dependencies. It analyzes Java, .NET, Node.js, Python, Ruby, PHP, and other ecosystems by extracting evidence from files and mapping artifacts to Common Platform Enumeration (CPE) identifiers, then cross-referencing against the National Vulnerability Database (NVD), GitHub Advisories, and other feeds. It runs as a CLI, Maven, Gradle, Jenkins, GitHub Action, or Docker image, producing HTML, JSON, JUnit, and SARIF reports for CI/CD pipelines. Teams use it alongside SAST and DAST to enforce baseline SBOM hygiene and to evidence due diligence for supply-chain risk management.
● Examples
- 01
Failing a Jenkins build when Dependency-Check reports a CVSS 9.0+ vulnerability in a Maven dependency.
- 02
Exporting Dependency-Check SARIF results to the GitHub Security tab for centralized triage.
● Frequently asked questions
What is OWASP Dependency-Check?
An open-source software composition analysis tool from OWASP that scans project dependencies and reports known vulnerabilities by matching CPEs to CVE data. It belongs to the Compliance & Frameworks category of cybersecurity.
What does OWASP Dependency-Check mean?
An open-source software composition analysis tool from OWASP that scans project dependencies and reports known vulnerabilities by matching CPEs to CVE data.
How does OWASP Dependency-Check work?
OWASP Dependency-Check is a free software composition analysis (SCA) tool that identifies publicly disclosed vulnerabilities in a project's third-party dependencies. It analyzes Java, .NET, Node.js, Python, Ruby, PHP, and other ecosystems by extracting evidence from files and mapping artifacts to Common Platform Enumeration (CPE) identifiers, then cross-referencing against the National Vulnerability Database (NVD), GitHub Advisories, and other feeds. It runs as a CLI, Maven, Gradle, Jenkins, GitHub Action, or Docker image, producing HTML, JSON, JUnit, and SARIF reports for CI/CD pipelines. Teams use it alongside SAST and DAST to enforce baseline SBOM hygiene and to evidence due diligence for supply-chain risk management.
How do you defend against OWASP Dependency-Check?
Defences for OWASP Dependency-Check typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for OWASP Dependency-Check?
Common alternative names include: Dependency-Check, OWASP DC.
● Related terms
- compliance№ 783
OWASP ZAP
Zed Attack Proxy, an open-source web application security testing tool originally from OWASP and now stewarded by Checkmarx and the ZAP community.
- compliance№ 775
OWASP ASVS
The OWASP Application Security Verification Standard, a catalogue of testable security requirements for designing, building, and verifying web applications and APIs.
- vulnerabilities№ 259
CVE (Common Vulnerabilities and Exposures)
A public catalogue that assigns a unique identifier to each disclosed software or hardware vulnerability so they can be referenced unambiguously across the industry.