🌐
OWASP
owasp.org › www-project-dependency-check
OWASP Dependency-Check | OWASP Foundation
Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries. The OWASP Top 10 2013 contained a new entry: A9-Using Components with Known Vulnerabilities.
HOME
OWASP Foundation, the Open Source Foundation for Application Security on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.
ABOUT
About the OWASP Foundation on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.
PROJECTS
OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. ... The leading open source application vulnerability management tool built for DevOps and continuous security integration. ... Dependency-Check is a Software ...
CHAPTERS
OWASP Local Chapters on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.
🌐
GitHub
github.com › dependency-check › DependencyCheck
GitHub - dependency-check/DependencyCheck: OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies. · GitHub
OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies. - dependency-check/DependencyCheck
Starred by 7.6K users
Forked by 1.4K users
Languages   Java 96.8% | PLSQL 0.8% | Groovy 0.7% | PLpgSQL 0.6% | TSQL 0.5% | Shell 0.4%
Discussions

Is OWASP Dependency-Check still worth running in CI?
I'd replace it with OWASP dep-scan More on reddit.com
🌐 r/devsecops
8
4
May 13, 2026
java - OWASP Dependency check, how to use suppressions - Stack Overflow
I have a build in CI failing on a the OWASP dependency check. For example [HIGH] CVE-2021-37136 - io.netty:netty-codec-4.1.66.Final I understand I can add a suppression in More on stackoverflow.com
🌐 stackoverflow.com
How often do you review your dependencies?
With every build. Security Scanners are in the pipeline. We don't have a regular scan that goes over source code for projects that are built less often, yet More on reddit.com
🌐 r/devops
38
39
September 9, 2023
OWASP dependency checker
Hello there! Has anyone used the OWASP dependency checker before, alongside of other SAST tools on their Jenkins pipelines? More on reddit.com
🌐 r/cybersecurity
2
3
October 3, 2021
🌐
Visual Studio Marketplace
marketplace.visualstudio.com › items
OWASP Dependency Check - Visual Studio Marketplace
August 6, 2019 - Extension for Azure DevOps - Dependency Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies.
🌐
Jenkins
plugins.jenkins.io › dependency-check-jenkins-plugin
OWASP Dependency-Check | Jenkins plugin
April 8, 2026 - Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. This tool can be part of the solution to the OWASP Top 10 2017: A9 - Using Components with Known ...
🌐
Dependency-check
dependency-check.github.io › DependencyCheck
About – OWASP Dependency-Check
OWASP dependency-check is an open source solution to the OWASP Top 10 2021 entry: A06:2021 – Vulnerable and Outdated Components. Dependency-check can currently be used to scan software to identify the use of known vulnerable components. For a full list of supported languages/technologies ...
🌐
Docker Hub
hub.docker.com › r › owasp › dependency-check
owasp/dependency-check - Docker Image
OWASP dependency-check detects publicly disclosed vulnerabilities within project dependencies.
🌐
Mend
mend.io › blog › application security › owasp dependency check: how does it work?
OWASP Dependency Check: How It Works, Pros, and Cons
May 14, 2025 - OWASP Dependency Check is a software composition analysis (SCA) tool designed to identify known vulnerabilities in project dependencies.
Find elsewhere
🌐
OWASP
owasp.org › www-project-dep-scan
OWASP dep-scan | OWASP Foundation
Optionally, pass the argument --deep to generate an SBoM with both OS and application packages and to check for application vulnerabilities. All OS packages. ... All OS and application packages. ... dep-scan can scan the dependencies for any license limitations and report them directly on the console log.
🌐
OWASP
owasp.org › www-project-dependency-track
OWASP Dependency-Track | OWASP Foundation
The CycloneDX standard and use with Dependency-Track is not limited to SBOM use cases. Software consumers may optionally audit security findings from vendor SBOMs. If consumers discover discrepancies in vendor supplied VEX, consumers can share their own auto-generated VEX with suppliers, completing a bi-directional exchange of vulnerability and exploitability information. ... The OWASP® Foundation works to improve the security of software through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences.
🌐
Defectdojo
defectdojo.com › integrations › owasp-dependency-check
OWASP Dependency Check
OWASP Dependency-Check is an open-source software composition analysis (SCA) tool that identifies known security vulnerabilities in project dependencies by analyzing manifest files such as pom.xml, package.json, and requirements.txt, then cross-referencing components against the National ...
🌐
Codacy
blog.codacy.com › owasp-dependency-check
A Deep Dive Into OWASP Dependency-Check
April 3, 2026 - It was created by the OWASP organization to address one of the OWASP Top 10 vulnerabilities: Vulnerable and outdated components. Dependency-Check currently provides comprehensive support for Java, Node.js, and .NET-based products, as well as experimental support for Python, Dart, SWIFT, and Golang.
🌐
HackerOne
hackerone.com › knowledge-center › owasp-dependency-check-how-it-works-benefits-and-proscons
OWASP Dependency-Check: How It Works, Benefits, and Pros/Cons | HackerOne
What is OWASP Dependency-Check?7 Minute ReadOWASP Dependency-Check is a tool that checks for known vulnerabilities in third-party libraries used by a software application. It does this by checking the dependencies of the application against ...
🌐
Reddit
reddit.com › r/devsecops › is owasp dependency-check still worth running in ci?
r/devsecops on Reddit: Is OWASP Dependency-Check still worth running in CI?
May 13, 2026 -

Been using Dependency-Check for years. Starting to feel like it’s mostly noise now. CPE matching is still messy, false positives are common, and the suppression file becomes its own maintenance project.

Do you find it still useful? Or it became a legacy checkbox scanner?

🌐
GitHub
github.com › jeremylong › DependencyCheck
GitHub - jeremylong/DependencyCheck: The dependency-check repository has moved: · GitHub
September 27, 2025 - The OWASP dependency-check repository has moved to https://github.com/dependency-check/DependencyCheck.
Starred by 54 users
Forked by 26 users
Languages   Java 65.6% | JavaScript 21.7% | CMake 8.3% | M4 1.3% | PLSQL 0.6% | Groovy 0.5%
🌐
Owasp
devguide.owasp.org › en › 05-implementation › 02-dependencies › 01-dependency-check
Dependency-Check - OWASP Developer Guide
Dependency-Check was started in September 2012 and since then has been continuously supported with regular releases. Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies.
🌐
Medium
medium.com › @manas.pandey45 › owasp-dependency-check-882343a31b42
OWASP — Dependency check
February 10, 2024 - Here is a quick way on how to run it and how the results look, the check can be integrated with ... <plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>9.0.9</version> <executions> <execution> <goals> <goal>check</goal> </goals> </execution> </executions> </plugin>
Top answer
1 of 5
5

Below answer is based on gradle OWASP plugin version 7.4.4.

Below in my build.gradle

id "org.owasp.dependencycheck" version "7.4.4"

And below is the task configuration

dependencyCheck {
    formats = ['xml','json']
    failBuildOnCVSS = 8
    failOnError = true
    suppressionFile = 'config/dependency-check/suppressions.xml'
    check.dependsOn(dependencyCheckAnalyze)
}

And as you see we have provided a path to suppressionFile where we can define the suppression for vulnerabilities.

So, in my case our sonar build was failing due to

Filename: spring-security-oauth2-client-5.6.3.jar | Reference: CVE-2022-22978 | CVSS Score: 9.8

Filename: snakeyaml-1.33.jar | Reference: CVE-2022-1471 | CVSS Score: 9.8

So, I have added them in Suppression.xml and my file looks like below

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
    <suppress until="2023-06-01Z">
        <notes><![CDATA[
        This suppresses a CVE from SnakeYaml as it needs to wait until SpringBoot 3 upgrade
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
        <vulnerabilityName>CVE-2022-1471</vulnerabilityName>
    </suppress>
    <suppress until="2023-06-01Z">
        <notes><![CDATA[
        This suppresses a CVE from OAuth Client as it needs to wait until SpringBoot 3 upgrade
        ]]></notes>
        <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-oauth2\-client@.*$</packageUrl>
        <vulnerabilityName>CVE-2022-22978</vulnerabilityName>
    </suppress>
</suppressions>

I recommend to use until="2023-06-01Z" so you don't suppress them forever.

Vulnerabilities can be suppressed in number of different combinations. So, please refer https://jeremylong.github.io/DependencyCheck/general/suppression.html and decide which option suits your requirement.

2 of 5
3

#1 Click on the 'artifacts' tab on the OWASP dependency check task in CI and the html report is there.

#2 'File' in this context means the file inside the jar that is warranting the dependency issue. It will be given to you in the html report.

🌐
Wso2
security.docs.wso2.com › en › latest › security-guidelines › secure-engineering-guidelines › external-dependency-analysis-analysis-using-owasp-dependency-check
External Dependency Analysis Analysis using OWASP Dependency Check
This document provides details of all necessary steps for using OWASP Dependency Check Command Line Client (CLI)1 tool and the Maven plugin2 for analyzing 3rd party dependencies used in projects for identifying known security vulnerabilities.
🌐
Jenkins
jenkins.io › doc › pipeline › steps › dependency-check-jenkins-plugin
OWASP Dependency-Check Plugin
With 9.0.0 dependency-check has moved from using the NVD data-feed to the NVD API.
🌐
Snyk
security.snyk.io › snyk vulnerability database › maven
org.owasp:dependency-check-maven | Snyk
Security vulnerabilities and package health score for Maven package org.owasp:dependency-check-maven