Dependency-Check: Open-source Software Composition Analysis (SCA) tool
Dependency-Check is an open-source Software Composition Analysis (SCA) tool to identify publicly disclosed vulnerabilities within a project’s dependencies.
The tool analyzes dependencies for Common Platform Enumeration (CPE) identifiers. When a match is found, the tool generates a report with links to the relevant Common Vulnerabilities and Exposures (CVE) entries, helping teams address security risks.
Dependency-Check main components
The tool is made up of four main components:
- Engine: The central controller that orchestrates the execution of all other components in the correct sequence.
- Scanner: Traverses the files and directories specified by the
-scancommand-line parameter, identifying files that can be processed by an available Analyzer. These files serve as the foundation for creating Dependency objects. - Analyzer: The core component of the application, responsible for processing dependencies. It enriches Dependency objects by adding relevant information such as Evidence, Identifiers, or Vulnerabilities (detailed below).
- Report Generator: Compiles and generates reports on identified dependencies based on Analyzer findings, utilizing Velocity Templates to structure the output.
Vulnerabilty database
The tool automatically updates its vulnerability database using NIST’s NVD Data Feeds. The initial data download may take five minutes or longer, but subsequent updates require only a small XML file, provided the tool is run at least once every seven days, to keep the data current. This product uses the NVD API but is not endorsed or certified by the NVD.
Dependency-Check is available for free on GitHub.
Must read:
- GitHub CISO on security strategy and collaborating with the open-source community
- Don’t let these open-source cybersecurity tools slip under your radar
- 33 open-source cybersecurity solutions you didn’t know you needed