Stack Overflow
Stack Overflow

Questions tagged [owasp-dependency-check]

OWASP Dependency-Check is a tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It can be run as a command line application, or using popular build systems such as Maven, Gradle or Brew.

Home page: https://owasp.org/www-project-dependency-check/

Documentation: https://jeremylong.github.io/DependencyCheck/

19 questions
12
votes
2 answers

Tool to check known vulnerabilities in php project using composer

I am working on a php project that uses composer but some of the dependencies are very old, including the php version. We are trying to convince the client to upgrade the version of php and consequentially all other dependencies. We would like to…
Cris Pinto
  • 293
  • 3
  • 18
9
votes
1 answer

Is there any OWASP checking tool for scala project?

I found there is an OWASP dependency checking tool for Java projects: https://www.owasp.org/index.php/OWASP_Dependency_Check I tried the tool on Scala projects, but it can find no dependencies. Is there any similar thing for Scala projects?
Freewind
  • 193,756
  • 157
  • 432
  • 708
6
votes
1 answer

OWASP dependency-check maven vs command line not same results

On a Maven project, I am running both the OWASP dependency-check-maven plugin as also the OWASP command line tool in order to generate a report with dependencies having vulnerabilities. What I cannot understand, is how those two tools operate. In…
Stephan
  • 696
  • 15
  • 37
5
votes
0 answers

OWASP suppression, ignore entire folder

I am using the owasp dependency tool with retirejs and I am trying to figure out how to exclude an entire folder in my build. Right now I have it as so dependencyCheck{ outputDirectory = "${projectDir}/reports" suppressionFile =…
Ed Dunn
  • 1,152
  • 3
  • 11
  • 27
5
votes
1 answer

How to display OWASP's Dependency Check Maven results for several project in one dashboard

I have several projects using the OWASP's Dependency Check maven plugin. This is working perfectly for each. But I would like to merge all the project results in one dashboard, as I've got many projects... I thought it was possible with "Dashboard…
Thierry Boschat
  • 51
  • 1
  • 2
3
votes
1 answer

Why is a vulnerability identified by the OWASP Dependency-Check tool for Mule Runtime 4.4.0 if it doesn't actually belong to that version?

My mule application is built using mule runtime 4.4.0. In pom.xml of application, I have specified the "mule-http-connector@1.7.3" dependency as shown below: org.mule.connectors
Jaci_2019
  • 31
  • 2
3
votes
1 answer

OWASP Dependency Check and Jenkins Pipeline

I am trying to add Dependency Check into my JenkinsFile without success. Plugins Installation and configuration done. Global Tool Configuration Name : Vulnerability5 Install automatically (checked) Version : dependency-check 5.2.4 pipeline { …
Ibrahim
  • 73
  • 1
  • 5
1
vote
0 answers

Run OWASP Dependency Check on all old versions

The normal OWASP Dependency Check Maven plug-in makes a good job of scanning the current version of a project for vulnerabilities in its dependencies. But how about vulnerabilities that are reported for the dependencies of old versions of the…
Lii
  • 11,553
  • 8
  • 64
  • 88
1
vote
1 answer

owasp-dependency-check: JavaScript code is not analyzed

I am trying to use the NPM module owasp-dependency-check in order to highlight possible vulnerabilities in the code of my web project. I have installed version 0.0.18, the latest. I want to analyse the custom code I wrote (directory src) and the…
Marco Faustinelli
  • 3,734
  • 5
  • 30
  • 49
0
votes
1 answer

CORS issue with Dependency Track Containers

I need help solving a CORS issue. I am trying to run dependency track using Docker. I have pulled the docker-compose file following the instructions here I have modified the configuration file to use my local IP address instead of localhost: for the…
bernieslearnings
  • 1,424
  • 4
  • 17
  • 27
0
votes
1 answer

Dependency-Check Offline Issue (mvn -o)

I am currently facing a challenge with running the Dependency-Check plugin in offline mode using "mvn -o." Although I have mirrored all external resources locally, I encounter an issue that prevents successful execution. The specific error message…
badr dahmane
  • 1
0
votes
1 answer

Can't see CVEs (vulnerabilities) on Sonar UI under Project>Issues. Used to see them in the past. Has anything changed?

We're using a combination of Jenkins and Sonar Plugin of OWASP DependencyCheck https://owasp.org/www-project-dependency-check/. The reports in HTML and JSON getting generated during pipeline build in Jenkins and also could see html reports from…
mansing shinde
  • 445
  • 7
  • 25
0
votes
1 answer

Is cyclonedx-buildroot expected to generate compatible SBOMs for Dependency-Track?

I am trying to generate SBOMs for our Buildroot builds and analyze them for vulnerabilities using Dependency-Track. I am using the Buildroot manifest.csv file and the OWASP tool 'cyclonedx-buildroot'…
dresserd
  • 1
  • 1
0
votes
0 answers

BOM does not confirm to the CycloneDX BOM standard

I am using the gradle CycloneDX plugin to generate a BOM file for a few LEGACY Java projects. I have only had to make 2 minor updates to the exiting build.gradle files for each project. The updates being to add the following 2 lines : dependencies…
Pankaj Parmar
  • 1
0
votes
0 answers

Jenkins pipeline is not loading dependencies vulnerabilities in Sonar for a Node.js project

I've got a Jenkins pipeline created with the only purpose to execute static code analysis with SonarQube on a Node.js project. My environment is like this: Sonar v.9.9.0.65466 (on a Windows Server) Jenkins v.2.387.3 (on a Windows…
aleber
  • 11
  • 1
1
2