[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-4221":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":25,"hasPages":25,"topics":26,"createdAt":10,"pushedAt":10,"updatedAt":36,"readmeContent":37,"aiSummary":38,"trendingCount":16,"starSnapshotCount":16,"syncStatus":39,"lastSyncTime":40,"discoverSource":41},4221,"DependencyCheck","dependency-check\u002FDependencyCheck","dependency-check","OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.","https:\u002F\u002Fowasp.org\u002Fwww-project-dependency-check\u002F",null,"Java",7577,1409,174,185,0,1,7,42,5,40.45,"Apache License 2.0",false,"main",true,[27,28,29,30,31,32,33,34,35],"ant-task","build-tool","gradle-plugin","jenkins-plugin","maven-plugin","security","security-audit","software-composition-analysis","vulnerability-detection","2026-06-12 02:01:00","[![Maven Central](https:\u002F\u002Fimg.shields.io\u002Fmaven-central\u002Fv\u002Forg.owasp\u002Fdependency-check-maven.svg)](https:\u002F\u002Fmvnrepository.com\u002Fartifact\u002Forg.owasp\u002Fdependency-check-maven) [![Build and Deploy Snapshot](https:\u002F\u002Fgithub.com\u002Fdependency-check\u002FDependencyCheck\u002Factions\u002Fworkflows\u002Fbuild.yml\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002Fdependency-check\u002FDependencyCheck\u002Factions\u002Fworkflows\u002Fbuild.yml) [![CII Best Practices](https:\u002F\u002Fbestpractices.coreinfrastructure.org\u002Fprojects\u002F843\u002Fbadge)](https:\u002F\u002Fbestpractices.coreinfrastructure.org\u002Fprojects\u002F843) [![Apache 2.0 License](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Flicense-Apache%202-blue.svg)](https:\u002F\u002Fwww.apache.org\u002Flicenses\u002FLICENSE-2.0.txt)\n\n[![Black Hat Arsenal](https:\u002F\u002Fraw.githubusercontent.com\u002Ftoolswatch\u002Fbadges\u002Fmaster\u002Farsenal\u002Fusa\u002F2018.svg?sanitize=true)](https:\u002F\u002Fwww.blackhat.com\u002Fus-18\u002Farsenal.html#jeremy-long) [![Black Hat Arsenal](https:\u002F\u002Fraw.githubusercontent.com\u002Ftoolswatch\u002Fbadges\u002Fmaster\u002Farsenal\u002Fusa\u002F2015.svg?sanitize=true)](https:\u002F\u002Fwww.blackhat.com\u002Fus-15\u002Farsenal.html#jeremy-long) [![Black Hat Arsenal](https:\u002F\u002Fraw.githubusercontent.com\u002Ftoolswatch\u002Fbadges\u002Fmaster\u002Farsenal\u002Fusa\u002F2014.svg?sanitize=true)](https:\u002F\u002Fwww.blackhat.com\u002Fus-14\u002Farsenal.html#Long) [![Black Hat Arsenal](https:\u002F\u002Fraw.githubusercontent.com\u002Ftoolswatch\u002Fbadges\u002Fmaster\u002Farsenal\u002Fusa\u002F2013.svg?sanitize=true)](https:\u002F\u002Fwww.blackhat.com\u002Fus-13\u002Farsenal.html#Long)\n\n# Dependency-Check\n\nDependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.\n\nDocumentation and links to production binary releases can be found on the [github pages](https:\u002F\u002Fdependency-check.github.io\u002FDependencyCheck). Additionally, more information about the architecture and ways to extend dependency-check can be found on the [wiki].\n\n## Notice\n\nThis product uses the NVD API but is not endorsed or certified by the NVD.\n\n## Mandatory Upgrade to 12.1.0+\n\nDue to NVD API compatibility changes, an upgrade is mandatory. See [#7463](https:\u002F\u002Fgithub.com\u002Fdependency-check\u002FDependencyCheck\u002Fissues\u002F7463) for more information.\n\n## Breaking Changes in 11.0.0\n\n- Java 11 is now required to run dependency-check `11.0.0` or higher\n- H2 database upgrade\n\n    `11.0.0` contains breaking changes using the local H2 database. A full download\n    of the NVD data will occur. Note that if you are using a shared data directory\n    the h2 database file is not compatible with older versions of dependency-check.\n    If you run into problems you may need to run a purge:\n\n    - gradle: `.\u002Fgradlew dependencyCheckPurge`\n    - maven: `mvn org.owasp:dependency-check-maven:11.0.0:purge`\n    - cli: `dependency-check.sh --purge`\n\n## Other notices\n\n### NVD API Key Highly Recommended\n\nDependency-check moved from using the NVD data-feed to the NVD API since `9.0.0+` (January 2024).\nUsers of dependency-check are **highly** encouraged to obtain an NVD API Key; see https:\u002F\u002Fnvd.nist.gov\u002Fdevelopers\u002Frequest-an-api-key\nWithout an NVD API Key dependency-check's updates will be **extremely slow**.\nPlease see the documentation for the cli, maven, gradle, or ant integrations on\nhow to set the NVD API key.\n\n#### The NVD API Key, CI, and Rate Limiting\n\nThe NVD API has enforced rate limits. If you are using a single API KEY and\nmultiple builds occur you could hit the rate limit and receive 403 errors. In\na CI environment one must use a caching strategy.\n\n### Sonatype OSS Index API Token Now Required for usage\n\nSince September 2025 Sonatype OSS Index started enforcing use of API tokens for authentication. In April 2026 a\nsubsequent migration to Sonatype Guide began.\n\nIf you wish to use Sonatype OSS Index you must configure Dependency-Check and consider implications for migration to \nSonatype Guide. See the [analyzer documentation](https:\u002F\u002Fdependency-check.github.io\u002FDependencyCheck\u002Fanalyzers\u002Foss-index-analyzer.html)\nfor more information.\n\nWithout credentials, Dependency Check will **automatically disable the OSS Index analyzer**. Please see the documentation \nfor the cli, maven, gradle, or ant integrations on how to set the OSS Index credentials.\n\n### Gradle build Environment\n\nWith `9.0.0+` users may encounter issues with `NoSuchMethodError` exceptions due to\ndependency resolution. If you encounter this issue you will need to pin some of\nthe transitive dependencies of dependency-check to specific versions. For example:\n\n\u002FbuildSrc\u002Fbuild.gradle\n```groovy\ndependencies {\n    constraints {\n        \u002F\u002F org.owasp.dependencycheck needs at least this version of jackson. Other plugins pull in older versions..\n        add(\"implementation\", \"com.fasterxml.jackson:jackson-bom:2.21.2\")\n\n        \u002F\u002F org.owasp.dependencycheck needs these versions. Other plugins pull in older versions..\n        add(\"implementation\", \"org.apache.commons:commons-lang3:3.20.0\")\n        add(\"implementation\", \"org.apache.commons:commons-text:1.15.0\")\n    }\n}\n```\n\n## Requirements\n\n### Java Version\n\nMinimum Java Version: Java 11\n\n### Internet Access\n\nOWASP dependency-check requires access to several externally hosted resources.\nFor more information see [Internet Access Required](https:\u002F\u002Fdependency-check.github.io\u002FDependencyCheck\u002Fdata\u002Findex.html).\n\n### Build Tools\n\nIn order to analyze some technology stacks dependency-check may require other\ndevelopment tools to be installed. Some of the analysis listed below may be\nexperimental and require the experimental analyzers to be enabled.\n\n1. To analyze .NET Assemblies the dotnet 8 run time or SDK must be installed.\n   - Assemblies targeting other run times can be analyzed - but 8 is required to run the analysis.\n2. If analyzing GoLang projects `go` must be installed.\n3. The analysis of `Elixir` projects requires `mix_audit`.\n4. The analysis of `npm`, `pnpm`, and `yarn` projects requires `npm`, `pnpm`, or `yarn` to be installed.\n   - The analysis performed utilize the respective `audit` feature of each.\n5. The analysis of Ruby is a wrapper around `bundle-audit`, which must be installed.\n\n## Current Releases\n\n### Jenkins Plugin\n\nFor instructions on the use of the Jenkins plugin please see the [OWASP Dependency-Check Plugin page](https:\u002F\u002Fwiki.jenkins-ci.org\u002Fdisplay\u002FJENKINS\u002FOWASP+Dependency-Check+Plugin).\n\n### Command Line\n\nMore detailed instructions can be found on the\n[dependency-check github pages](https:\u002F\u002Fdependency-check.github.io\u002FDependencyCheck\u002Fdependency-check-cli\u002F).\nThe latest CLI can be downloaded from github in the [releases section](https:\u002F\u002Fgithub.com\u002Fdependency-check\u002FDependencyCheck\u002Freleases).\n\nDownloading the latest release:\n```\n$ VERSION=$(curl -s https:\u002F\u002Fdependency-check.github.io\u002FDependencyCheck\u002Fcurrent.txt)\n$ curl -Ls \"https:\u002F\u002Fgithub.com\u002Fdependency-check\u002FDependencyCheck\u002Freleases\u002Fdownload\u002Fv$VERSION\u002Fdependency-check-$VERSION-release.zip\" --output dependency-check.zip\n```\n\nOn *nix\n```\n$ .\u002Fbin\u002Fdependency-check.sh -h\n$ .\u002Fbin\u002Fdependency-check.sh --out . --scan [path to jar files to be scanned]\n```\nOn Windows\n```\n> .\\bin\\dependency-check.bat -h\n> .\\bin\\dependency-check.bat --out . --scan [path to jar files to be scanned]\n```\nOn Mac with [Homebrew](http:\u002F\u002Fbrew.sh)\nNote - homebrew users upgrading from 5.x to 6.0.0 will need to run `dependency-check.sh --purge`.\n```\n$ brew update && brew install dependency-check\n$ dependency-check -h\n$ dependency-check --out . --scan [path to jar files to be scanned]\n```\n\n### Maven Plugin\n\nMore detailed instructions can be found on the [dependency-check-maven github pages](https:\u002F\u002Fdependency-check.github.io\u002FDependencyCheck\u002Fdependency-check-maven).\nBy default, the plugin is tied to the `verify` phase (i.e. `mvn verify`). Alternatively,\none can directly invoke the plugin via `mvn org.owasp:dependency-check-maven:check`.\n\nThe dependency-check plugin can be configured using the following:\n\n```xml\n\u003Cproject>\n    \u003Cbuild>\n        \u003Cplugins>\n            ...\n            \u003Cplugin>\n              \u003CgroupId>org.owasp\u003C\u002FgroupId>\n              \u003CartifactId>dependency-check-maven\u003C\u002FartifactId>\n              \u003Cexecutions>\n                  \u003Cexecution>\n                      \u003Cgoals>\n                          \u003Cgoal>check\u003C\u002Fgoal>\n                      \u003C\u002Fgoals>\n                  \u003C\u002Fexecution>\n              \u003C\u002Fexecutions>\n            \u003C\u002Fplugin>\n            ...\n        \u003C\u002Fplugins>\n        ...\n    \u003C\u002Fbuild>\n    ...\n\u003C\u002Fproject>\n```\n\n### Gradle Plugin\n\nFor instructions on the use of the Gradle Plugin, please see the [dependency-check-gradle github page](https:\u002F\u002Fdependency-check.github.io\u002FDependencyCheck\u002Fdependency-check-gradle).\n\n### Ant Task\n\nFor instructions on the use of the Ant Task, please see the [dependency-check-ant github page](https:\u002F\u002Fdependency-check.github.io\u002FDependencyCheck\u002Fdependency-check-ant).\n\n## Development Prerequisites\n\nFor installation to pass, you must have the following components installed:\n* Java: `java -version` 25.0\n* Maven: `mvn -version` 3.6.3 and higher\n\nTests cases require:\n* dotnet core version 8.0\n* Go: `go version` 1.12 and higher\n* Ruby [bundler-audit](https:\u002F\u002Fgithub.com\u002Frubysec\u002Fbundler-audit#install)\n* [Yarn](https:\u002F\u002Fclassic.yarnpkg.com\u002Fen\u002Fdocs\u002Finstall\u002F)\n* [pnpm](https:\u002F\u002Fpnpm.io\u002Finstallation)\n\n## Development Usage\n\nThe following instructions outline how to compile and use the current snapshot. While every intention is to maintain a stable snapshot it is recommended\nthat the release versions listed above be used.\n\nThe repository has some large files due to test resources. The team has tried to clean up the history as much as possible.\nHowever, it is recommended that you perform a shallow clone to save yourself time:\n\n```bash\ngit clone --depth 1 https:\u002F\u002Fgithub.com\u002Fdependency-check\u002FDependencyCheck.git\n```\n\nOn *nix\n```\n$ mvn -s settings.xml install\n$ .\u002Fcli\u002Ftarget\u002Frelease\u002Fbin\u002Fdependency-check.sh -h\n$ .\u002Fcli\u002Ftarget\u002Frelease\u002Fbin\u002Fdependency-check.sh --out . --scan .\u002Fsrc\u002Ftest\u002Fresources\n```\nOn Windows\n```\n> mvn -s settings.xml install\n> .\\cli\\target\\release\\bin\\dependency-check.bat -h\n> .\\cli\\target\\release\\bin\\dependency-check.bat --out . --scan .\u002Fsrc\u002Ftest\u002Fresources\n```\n\nThen load the resulting 'dependency-check-report.html' into your favorite browser.\n\n#### Building without running tests\nTo speed up your turnaround cycle times, you can also compile without running the tests each time:  \n`mvn -s settings.xml install -DskipTests=true`\n\nPlease remember to at least run the tests once before opening the PR. :) \n\n### IntelliJ Idea\nTo be able to debug your tests in IntelliJ Idea, you can introduce a maven configuration that executes your test and enables debugging with breakpoints etc.  \nBasically, you do what´s described in https:\u002F\u002Fwww.jetbrains.com\u002Fhelp\u002Fidea\u002Fwork-with-tests-in-maven.html#run_single_test and set the `forkCount` to 0, otherwise debugging won´t work.  \n\nStep by step:  \n- `Run -> Edit Configurations`\n- `+ (Add new configuration) -> Maven`\n- Give the Configuration a name, e.g. `Run tests`\n- Choose working directory, e.g. `core`\n- In `command line`, enter `-DforkCount=0 -f pom.xml -s ..\u002Fsettings.xml test`\n- Press `OK`\n- `Run -> Debug`, then choose the newly created run configuration\n\nIntelliJ will now execute the test run for the `core` subproject with enabled debugging. Breakpoints set anywhere in code should work.\n\n#### Only test one function or one class\nIf you would like to speed up your turnaround cycle times, you can also just test one function or one test class.  \nThis works by adding `-Dtest=MyTestClass` or `-Dtest=MyTestClass#myTestFunction` to the run configuration. The complete command line in the run configuration then would be:\n\n`-Dtest=MyTestClass#myTestFunction -DforkCount=0 -f pom.xml -s ..\u002Fsettings.xml test`\n\n\n### Docker\n\nIn the following example it is assumed that the source to be checked is in the current working directory and the reports will be written to `$(pwd)\u002Fodc-reports`. Persistent data and cache directories are used, allowing you to destroy the container after running.\n\nFor Linux:\n```sh\n#!\u002Fbin\u002Fsh\n\nDC_VERSION=\"latest\"\nDC_DIRECTORY=$HOME\u002FOWASP-Dependency-Check\nDC_PROJECT=\"dependency-check scan: $(pwd)\"\nDATA_DIRECTORY=\"$DC_DIRECTORY\u002Fdata\"\nCACHE_DIRECTORY=\"$DC_DIRECTORY\u002Fdata\u002Fcache\"\n\nif [ ! -d \"$DATA_DIRECTORY\" ]; then\n    echo \"Initially creating persistent directory: $DATA_DIRECTORY\"\n    mkdir -p \"$DATA_DIRECTORY\"\nfi\nif [ ! -d \"$CACHE_DIRECTORY\" ]; then\n    echo \"Initially creating persistent directory: $CACHE_DIRECTORY\"\n    mkdir -p \"$CACHE_DIRECTORY\"\nfi\n\n# Make sure we are using the latest version\ndocker pull owasp\u002Fdependency-check:$DC_VERSION\n\ndocker run --rm \\\n    -e user=$USER \\\n    -u $(id -u ${USER}):$(id -g ${USER}) \\\n    --volume $(pwd):\u002Fsrc:z \\\n    --volume \"$DATA_DIRECTORY\":\u002Fusr\u002Fshare\u002Fdependency-check\u002Fdata:z \\\n    --volume $(pwd)\u002Fodc-reports:\u002Freport:z \\\n    owasp\u002Fdependency-check:$DC_VERSION \\\n    --scan \u002Fsrc \\\n    --format \"ALL\" \\\n    --project \"$DC_PROJECT\" \\\n    --out \u002Freport\n    # Use suppression like this: (where \u002Fsrc == $pwd)\n    # --suppression \"\u002Fsrc\u002Fsecurity\u002Fdependency-check-suppression.xml\"\n```\n\nFor Windows:\n```bat\n@echo off\n\nset DC_VERSION=\"latest\"\nset DC_DIRECTORY=%USERPROFILE%\\OWASP-Dependency-Check\nSET DC_PROJECT=\"dependency-check scan: %CD%\"\nset DATA_DIRECTORY=\"%DC_DIRECTORY%\\data\"\nset CACHE_DIRECTORY=\"%DC_DIRECTORY%\\data\\cache\"\n\nIF NOT EXIST %DATA_DIRECTORY% (\n    echo Initially creating persistent directory: %DATA_DIRECTORY%\n    mkdir %DATA_DIRECTORY%\n)\nIF NOT EXIST %CACHE_DIRECTORY% (\n    echo Initially creating persistent directory: %CACHE_DIRECTORY%\n    mkdir %CACHE_DIRECTORY%\n)\n\nrem Make sure we are using the latest version\ndocker pull owasp\u002Fdependency-check:%DC_VERSION%\n\ndocker run --rm ^\n    --volume %CD%:\u002Fsrc ^\n    --volume %DATA_DIRECTORY%:\u002Fusr\u002Fshare\u002Fdependency-check\u002Fdata ^\n    --volume %CD%\u002Fodc-reports:\u002Freport ^\n    owasp\u002Fdependency-check:%DC_VERSION% ^\n    --scan \u002Fsrc ^\n    --format \"ALL\" ^\n    --project \"%DC_PROJECT%\" ^\n    --out \u002Freport\n    rem Use suppression like this: (where \u002Fsrc == %CD%)\n    rem --suppression \"\u002Fsrc\u002Fsecurity\u002Fdependency-check-suppression.xml\"\n```\n\nBuilding From Source\n--------------------\n\nTo build dependency-check (using Java 11) run the command:\n\n```\nmvn -s settings.xml install\n```\n\nRunning dependency-check on dependency-check\n--------------------------------------------\n\nDependency-check references several vulnerable dependencies that are never used\nexcept as test resources. All of these optional test dependencies are included in\nthe `test-dependencies` profile. To run dependency-check against itself simple\nexclude the `test-dependencies` profile:\n\n```shell\nmvn org.owasp:dependency-check-maven:aggregate -P-test-dependencies -DskipProvidedScope=true\n```\n\nBuilding the documentation\n--------------------------\n\nThe documentation on the [github pages](https:\u002F\u002Fdependency-check.github.io\u002FDependencyCheck\u002F) is generated from this repository:\n\n    mvn -s settings.xml site site:stage\n\nOnce done, point your browser to `.\u002Ftarget\u002Fstaging\u002Findex.html`.\n\nBuilding The Docker Image\n-------------------------\nTo build dependency-check docker image run the command:\n\n```\nmvn -s settings.xml install\n.\u002Fdocker-build.sh\n```\n\nLicense\n-------\n\nPermission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https:\u002F\u002Fraw.githubusercontent.com\u002Fdependency-check\u002FDependencyCheck\u002Fmain\u002FLICENSE.txt) file for the full license.\n\nDependency-Check makes use of several other open source libraries. Please see the [NOTICE.txt][notices] file for more information.\n\nThis product uses the NVD API but is not endorsed or certified by the NVD.\n\nCopyright (c) 2012-2025 Jeremy Long. All Rights Reserved.\n\n  [wiki]: https:\u002F\u002Fgithub.com\u002Fdependency-check\u002FDependencyCheck\u002Fwiki\n  [notices]: https:\u002F\u002Fgithub.com\u002Fdependency-check\u002FDependencyCheck\u002Fblob\u002Fmain\u002FNOTICE.txt\n\n\u003Cimg referrerpolicy=\"no-referrer-when-downgrade\" src=\"https:\u002F\u002Fstatic.scarf.sh\u002Fa.png?x-pxid=c78174f3-f898-4a5d-b3ab-1202b7db8ef6\" \u002F>\n","Dependency-Check 是一个软件成分分析工具，用于检测项目依赖项中已公开披露的安全漏洞。其核心功能是通过识别依赖项的CPE标识符来生成与CVE条目关联的报告，支持多种构建工具如Maven、Gradle和Ant等插件形式集成。该工具采用Java语言开发，遵循Apache License 2.0许可协议，适用于需要持续监控开源组件安全性的软件开发流程中，特别是在CI\u002FCD管道里自动执行安全审计时。",2,"2026-06-11 02:59:04","top_language"]