Fork me on GitHub

Usage

The OWASP dependency-check-gradle plugin provides monitoring of the projects dependent libraries; creating a report of known vulnerable components that are included in the build.

It is important to understand that the first time this task is executed it may take 5-20 minutes as it downloads and processes the data from the National Vulnerability Database (NVD) hosted by NIST: https://nvd.nist.gov.

After the first batch download, as long as the plugin is executed at least once every seven days the update will only take a few seconds.

The Dependency-Check team strongly recommends to mirror the NVD database for any operational integration. If not done, any service disruption of the NVD database will make the usage of Dependency-Check difficult.

Quick Start

Step 1, Apply dependency-check-gradle plugin

Install from Maven central repo

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'org.owasp:dependency-check-gradle:12.1.9'
    }
}

apply plugin: 'org.owasp.dependencycheck'

Step 2, Run the dependencyCheckAnalyze task

You can run dependency-check by executing:

./gradlew dependencyCheckAnalyze

The reports will be generated automatically under ${buildDir}/reports folder.

Task Configuration

The OWASP dependency-check-gradle plugin contains three tasks: dependencyCheckAnalyze, dependencyCheckAggregate, dependencyCheckUpdate, and dependencyCheckPurge. Please see each tasks configuration page for more information.

More information can be found in the GitHub repository.

Multiple Configurations

Some projects may require multiple dependency-check configurations. This is supported by registering multiple tasks:

plugins {
    id 'java'
    id 'org.owasp.dependencycheck' version '12.1.5'
}

tasks.register('dependencyCheckRelease', org.owasp.dependencycheck.gradle.tasks.Analyze) {
    dependencyCheck {
        failBuildOnCVSS = 9.0
    }
}

tasks.register('dependencyCheckCI', org.owasp.dependencycheck.gradle.tasks.Analyze) {
    dependencyCheck {
        failBuildOnCVSS = 3.0
    }
}

License

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE.txt file for the full license.

Dependency-Check makes use of several other open source libraries. Please see the NOTICE.txt file for more information.