MACRO NEPAL
OWASP Dependency-Check in Java: Comprehensive Dependency Vulnerability Scanning
awiskar acharya
November 26, 2025
1:19 pm

OWASP Dependency-Check is a software composition analysis tool that identifies project dependencies and checks for known vulnerabilities. This guide covers comprehensive integration and customization for Java projects.

Core Concepts

What is OWASP Dependency-Check?

  • Open-source Software Composition Analysis (SCA) tool
  • Scans dependencies for known vulnerabilities
  • Supports multiple programming languages and package managers
  • Integrates with CI/CD pipelines
  • Uses NVD (National Vulnerability Database) and other data sources

Key Features:

  • Automatic dependency detection
  • Comprehensive vulnerability databases
  • Multiple output formats (HTML, JSON, XML, etc.)
  • Build tool integration (Maven, Gradle, Ant, SBT)
  • Continuous monitoring capabilities

Dependencies and Setup

1. Maven Dependencies
<properties>
<owasp.dependency.check.version>8.4.2</owasp.dependency.check.version>
</properties>
<!-- Maven Plugin -->
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>${owasp.dependency.check.version}</version>
<configuration>
<format>HTML</format>
<failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
<failOnError>true</failOnError>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
2. Gradle Dependencies
// build.gradle
plugins {
id 'org.owasp.dependencycheck' version '8.4.2'
}
dependencyCheck {
format = 'HTML'
failBuildOnAnyVulnerability = true
failOnError = true
}
3. Command Line Installation
# Download latest version
wget https://github.com/jeremylong/DependencyCheck/releases/download/v8.4.2/dependency-check-8.4.2-release.zip
unzip dependency-check-8.4.2-release.zip
cd dependency-check/bin
# Add to PATH
export PATH=$PATH:$(pwd)

Basic Usage

1. Maven Basic Usage
# Basic scan
mvn org.owasp:dependency-check-maven:check
# With specific configuration
mvn org.owasp:dependency-check-maven:check -DfailBuildOnAnyVulnerability=true
# Skip tests for faster scanning
mvn org.owasp:dependency-check-maven:check -DskipTests
2. Gradle Basic Usage
# Basic scan
./gradlew dependencyCheckAnalyze
# With specific configuration
./gradlew dependencyCheckAnalyze -DfailBuildOnAnyVulnerability=true
3. Command Line Basic Usage
# Scan a Maven project
dependency-check.sh --project "MyApp" --scan "pom.xml" --out "reports/"
# Scan a Gradle project
dependency-check.sh --project "MyApp" --scan "build.gradle" --out "reports/"
# Scan JAR files
dependency-check.sh --project "MyApp" --scan "target/*.jar" --out "reports/"

Comprehensive Configuration

1. Maven Full Configuration
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>8.4.2</version>
<configuration>
<!-- Output Configuration -->
<format>HTML</format>
<outputDirectory>${project.build.directory}/dependency-check</outputDirectory>
<outputFileName>dependency-check-report</outputFileName>
<!-- Scan Configuration -->
<scanSet>
<scan>${project.basedir}/src</scan>
<scan>${project.basedir}/pom.xml</scan>
</scanSet>
<assemblyAnalyzerEnabled>true</assemblyAnalyzerEnabled>
<artifactoryAnalyzerEnabled>false</artifactoryAnalyzerEnabled>
<centralAnalyzerEnabled>true</centralAnalyzerEnabled>
<!-- Failure Configuration -->
<failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
<failOnError>true</failOnError>
<failBuildOnCVSS>7</failBuildOnCVSS>
<!-- Suppression Configuration -->
<suppressionFiles>
<suppressionFile>${project.basedir}/security/dependency-check-suppressions.xml</suppressionFile>
</suppressionFiles>
<!-- Data Configuration -->
<cveValidForHours>24</cveValidForHours>
<dataDirectory>${user.home}/.dependency-check</dataDirectory>
<!-- Advanced Configuration -->
<junitAnalyzerEnabled>true</junitAnalyzerEnabled>
<nodeAnalyzerEnabled>false</nodeAnalyzerEnabled>
<nodePackageSkipDevDependencies>true</nodePackageSkipDevDependencies>
<retireJsAnalyzerEnabled>true</retireJsAnalyzerEnabled>
<retireJsFilterNonVulnerable>true</retireJsFilterNonVulnerable>
<!-- Proxy Configuration -->
<proxyServer>proxy.company.com</proxyServer>
<proxyPort>8080</proxyPort>
<proxyUsername>user</proxyUsername>
<proxyPassword>pass</proxyPassword>
<!-- Database Configuration -->
<connectionString>jdbc:h2:file:${user.home}/.dependency-check/dc</connectionString>
<databaseDriverName>org.h2.Driver</databaseDriverName>
<databaseDriverPath>/path/to/h2.jar</databaseDriverPath>
<!-- Performance Configuration -->
<threadCount>4</threadCount>
</configuration>
<executions>
<execution>
<id>dependency-check</id>
<phase>verify</phase>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
<dependencies>
<!-- H2 Database Driver -->
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<version>2.1.214</version>
</dependency>
</dependencies>
</plugin>
2. Gradle Full Configuration
// build.gradle
dependencyCheck {
// Output Configuration
format = 'ALL'
outputDirectory = file("${buildDir}/reports/dependency-check")
// Scan Configuration
scanConfigurations = ['runtimeClasspath']
scanProjects = [project]
analyzedTypes = ['jar', 'war', 'ear', 'zip']
// Failure Configuration
failBuildOnAnyVulnerability = true
failOnError = true
failBuildOnCVSS = 7.0
// Suppression Configuration
suppressionFile = file('security/dependency-check-suppressions.xml')
// Data Configuration
cveValidForHours = 24
data {
directory = file("${System.getProperty('user.home')}/.dependency-check")
}
// Analyzer Configuration
analyzers {
assemblyEnabled = true
artifactoryEnabled = false
centralEnabled = true
nexusEnabled = false
opensslEnabled = true
ossIndexEnabled = false
retirejs {
enabled = true
filterNonVulnerable = true
}
}
// Proxy Configuration
proxy {
server = "proxy.company.com"
port = 8080
username = "user"
password = "pass"
}
// Performance Configuration
threadCount = 4
jarAnalyzer {
enabled = true
}
nodeAnalyzer {
enabled = false
}
nodeAudit {
enabled = false
skipDevDependencies = true
}
nugetconfAnalyzer {
enabled = false
}
nuspecAnalyzer {
enabled = false
}
}
// Task dependencies
check.dependsOn dependencyCheckAnalyze
3. Configuration File (dependency-check.properties)
# General Settings
odc.data.directory=${user.home}/.dependency-check
cve.startyear=2002
# Analyzer Settings
analyzer.assembly.enabled=true
analyzer.artifactory.enabled=false
analyzer.central.enabled=true
analyzer.nexus.enabled=false
analyzer.openssl.enabled=true
analyzer.ossindex.enabled=false
# RetireJS Settings
analyzer.retirejs.enabled=true
analyzer.retirejs.filter.non.vulnerable=true
# Failure Settings
failBuildOnAnyVulnerability=true
failBuildOnCVSS=7
# Proxy Settings
proxy.server=proxy.company.com
proxy.port=8080
proxy.username=user
proxy.password=pass
# Database Settings
db.driver.name=org.h2.Driver
db.driver.path=/path/to/h2.jar
db.connection.string=jdbc:h2:file:${user.home}/.dependency-check/dc
# Performance Settings
threadCount=4

Suppression Files

1. Basic Suppression File
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!-- Suppress by CVE -->
<suppress>
<notes><![CDATA[
False positive - This vulnerability doesn't affect our usage
]]></notes>
<cve>CVE-2021-44228</cve>
</suppress>
<!-- Suppress by dependency hash -->
<suppress>
<notes><![CDATA[
Internal library with no external dependencies
]]></notes>
<sha1>a1b2c3d4e5f6789012345678901234567890123</sha1>
</suppress>
<!-- Suppress by package name and version -->
<suppress>
<notes><![CDATA[
Vulnerability is in test scope and doesn't affect production
]]></notes>
<packageUrl regex="true">^pkg:maven/junit/junit@.*$</packageUrl>
</suppress>
<!-- Suppress until specific date -->
<suppress until="2024-12-31">
<notes><![CDATA[
Waiting for patch from vendor
]]></notes>
<cve>CVE-2023-12345</cve>
</suppress>
<!-- Suppress vulnerabilities below CVSS score -->
<suppress base="true">
<notes><![CDATA[
Suppress all vulnerabilities with CVSS score below 4.0
]]></notes>
<cvssBelow>4.0</cvssBelow>
</suppress>
</suppressions>
2. Advanced Suppression Rules
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!-- Suppress by file path -->
<suppress>
<notes><![CDATA[
Suppress vulnerabilities in test dependencies
]]></notes>
<filePath regex="true">.*/test/.*</filePath>
</suppress>
<!-- Suppress by dependency coordinates -->
<suppress>
<notes><![CDATA[
Suppress specific version of log4j-core
]]></notes>
<gav>org.apache.logging.log4j:log4j-core:2.17.1</gav>
</suppress>
<!-- Suppress vulnerabilities in a date range -->
<suppress>
<notes><![CDATA[
Suppress vulnerabilities published before 2022
]]></notes>
<cve>CVE-2021-.*</cve>
</suppress>
<!-- Conditional suppression -->
<suppress>
<notes><![CDATA[
Suppress only if no newer version available
]]></notes>
<gav>com.example:library:1.2.3</gav>
<cve>CVE-2022-12345</cve>
<until>2024-06-30</until>
</suppress>
<!-- Package pattern suppression -->
<suppress>
<notes><![CDATA[
Suppress all vulnerabilities in example packages
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.example/.*@.*$</packageUrl>
</suppress>
</suppressions>
3. Organization-wide Suppression File
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!-- Organization-wide false positives -->
<suppress base="true">
<notes><![CDATA[
Suppress low severity vulnerabilities organization-wide
]]></notes>
<cvssBelow>4.0</cvssBelow>
</suppress>
<!-- Approved vulnerable dependencies -->
<suppress>
<notes><![CDATA[
Approved vulnerable dependency with risk acceptance
]]></notes>
<gav>org.springframework:spring-core:5.3.18</gav>
<cve>CVE-2022-22965</cve>
</suppress>
<!-- Development tools suppression -->
<suppress>
<notes><![CDATA[
Development tools that don't affect production
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.projectlombok/lombok@.*$</packageUrl>
</suppress>
<!-- Test dependencies suppression -->
<suppress>
<notes><![CDATA[
Test-only dependencies
]]></notes>
<gav>junit:junit:4.13.2</gav>
</suppress>
</suppressions>

CI/CD Integration

1. GitHub Actions
# .github/workflows/dependency-check.yml
name: Dependency Check
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 0 * * 0'  # Weekly scan
jobs:
dependency-check:
name: OWASP Dependency Check
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up Java
uses: actions/setup-java@v3
with:
java-version: '17'
distribution: 'temurin'
- name: Cache Dependency-Check data
uses: actions/cache@v3
with:
path: ~/.dependency-check
key: ${{ runner.os }}-dependency-check-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-dependency-check-
- name: Run Dependency-Check
run: |
mvn org.owasp:dependency-check-maven:check \
-DfailBuildOnAnyVulnerability=true \
-DfailBuildOnCVSS=7 \
-DsuppressionFile=security/dependency-check-suppressions.xml
- name: Upload Dependency-Check report
uses: actions/upload-artifact@v3
with:
name: dependency-check-report
path: target/dependency-check-report.html
retention-days: 30
- name: Check for vulnerabilities
run: |
if [ -f "target/dependency-check-report.html" ]; then
echo "Dependency check completed. Check the report for vulnerabilities."
else
echo "Dependency check failed."
exit 1
fi
2. GitLab CI
# .gitlab-ci.yml
stages:
- security
dependency_check:
stage: security
image: maven:3.8-openjdk-17
variables:
MAVEN_OPTS: "-Dmaven.repo.local=.m2/repository"
cache:
paths:
- .m2/repository/
- ~/.dependency-check/
before_script:
- apt-get update && apt-get install -y wget
script:
- mvn org.owasp:dependency-check-maven:check
-DfailBuildOnAnyVulnerability=true
-DfailBuildOnCVSS=7
-DsuppressionFile=security/dependency-check-suppressions.xml
artifacts:
paths:
- target/dependency-check-report.html
reports:
dependency_scanning: gl-dependency-scanning-report.json
only:
- merge_requests
- main
- develop
3. Jenkins Pipeline
// Jenkinsfile
pipeline {
agent any
tools {
maven 'Maven-3.8'
jdk 'JDK-17'
}
stages {
stage('Dependency Check') {
steps {
script {
// Update dependency-check database
sh 'mvn org.owasp:dependency-check-maven:update-only'
// Run dependency check
sh '''
mvn org.owasp:dependency-check-maven:check \
-DfailBuildOnAnyVulnerability=true \
-DfailBuildOnCVSS=7 \
-DsuppressionFile=security/dependency-check-suppressions.xml
'''
}
}
post {
always {
archiveArtifacts artifacts: 'target/dependency-check-report.html', fingerprint: true
dependencyCheckPublisher pattern: '**/dependency-check-report.xml'
}
}
}
}
}
4. Azure DevOps Pipeline
# azure-pipelines.yml
trigger:
branches:
include:
- main
- develop
pool:
vmImage: 'ubuntu-latest'
steps:
- task: Maven@3
inputs:
mavenPomFile: 'pom.xml'
goals: 'compile'
- script: |
mvn org.owasp:dependency-check-maven:check \
-DfailBuildOnAnyVulnerability=true \
-DfailBuildOnCVSS=7 \
-DsuppressionFile=security/dependency-check-suppressions.xml
displayName: 'OWASP Dependency Check'
- task: PublishBuildArtifacts@1
inputs:
pathtoPublish: 'target/dependency-check-report.html'
artifactName: 'DependencyCheckReport'

Advanced Configuration

1. Custom Data Sources
<!-- Maven configuration for custom data sources -->
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>8.4.2</version>
<configuration>
<!-- Custom NVD feed -->
<cveUrlModified>https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz</cveUrlModified>
<cveUrlBase>https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz</cveUrlBase>
<!-- Additional data sources -->
<retireJsUrl>https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json</retireJsUrl>
<ossIndexUrl>https://ossindex.sonatype.org/api/v3/component-report</ossIndexUrl>
<!-- Custom vulnerability sources -->
<additionalHints>file:///${project.basedir}/security/additional-hints.xml</additionalHints>
</configuration>
</plugin>
2. Database Configuration
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>8.4.2</version>
<configuration>
<!-- PostgreSQL Configuration -->
<connectionString>jdbc:postgresql://localhost:5432/dependencycheck</connectionString>
<databaseDriverName>org.postgresql.Driver</databaseDriverName>
<databaseDriverPath>/path/to/postgresql.jar</databaseDriverPath>
<databaseUser>dcuser</databaseUser>
<databasePassword>dcpass</databasePassword>
<!-- MySQL Configuration (alternative) -->
<!--
<connectionString>jdbc:mysql://localhost:3306/dependencycheck</connectionString>
<databaseDriverName>com.mysql.cj.jdbc.Driver</databaseDriverName>
<databaseDriverPath>/path/to/mysql-connector-java.jar</databaseDriverPath>
-->
</configuration>
<dependencies>
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
<version>42.5.4</version>
</dependency>
</dependencies>
</plugin>
3. Performance Optimization
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>8.4.2</version>
<configuration>
<!-- Performance settings -->
<threadCount>8</threadCount>
<connectionTimeout>10000</connectionTimeout>
<readTimeout>60000</readTimeout>
<!-- Cache settings -->
<cveDownloadTimeout>120000</cveDownloadTimeout>
<cveValidForHours>72</cveValidForHours>
<!-- Disable non-essential analyzers -->
<artifactoryAnalyzerEnabled>false</artifactoryAnalyzerEnabled>
<nexusAnalyzerEnabled>false</nexusAnalyzerEnabled>
<opensslAnalyzerEnabled>false</opensslAnalyzerEnabled>
<!-- Skip update if recent data exists -->
<autoUpdate>true</autoUpdate>
<updateOnly>false</updateOnly>
</configuration>
</plugin>

Custom Analyzers and Hints

1. Custom Hints File
<!-- additional-hints.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<hints xmlns="https://jeremylong.github.io/DependencyCheck/dependency-hints.1.1.xsd">
<!-- Add evidence for unidentified dependencies -->
<hint>
<given>
<file>lib/custom-library.jar</file>
</given>
<add>
<evidence type="vendor" name="package-name" value="com.company.customlib" />
<evidence type="product" name="package-name" value="custom-library" />
<evidence type="version" name="package-name" value="1.2.3" />
</add>
</hint>
<!-- Remove false evidence -->
<hint>
<given>
<evidence type="vendor" value="Apache" />
<evidence type="product" value="Log4j" />
</given>
<remove>
<evidence type="version" />
</remove>
</hint>
<!-- Force specific CPE -->
<hint>
<given>
<file>lib/legacy.jar</file>
</given>
<add>
<evidence type="cpe" name="cpe" value="cpe:/a:legacy:legacy:1.0" />
</add>
</hint>
</hints>
2. Custom Analyzer Integration
// Custom dependency analyzer (example structure)
public class CustomDependencyAnalyzer extends AbstractFileTypeAnalyzer {
@Override
protected String getAnalyzerEnabledSetting() {
return "analyzer.custom.enabled";
}
@Override
protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
// Custom analysis logic
if (dependency.getFileName().endsWith(".custom")) {
addEvidence(dependency, "vendor", "custom-vendor", "CustomVendor", Confidence.HIGH);
addEvidence(dependency, "product", "custom-product", "CustomProduct", Confidence.HIGH);
}
}
@Override
protected AnalyzerType getAnalyzerType() {
return AnalyzerType.FILE_TYPE_ANALYZER;
}
@Override
public String getName() {
return "Custom Dependency Analyzer";
}
@Override
public FileType getSupportedFileType() {
return new FileType("Custom files", "custom");
}
}

Reporting and Monitoring

1. Multiple Report Formats
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>8.4.2</version>
<configuration>
<!-- Multiple output formats -->
<formats>HTML,JSON,XML,CSV,JUNIT</formats>
<!-- Custom report locations -->
<outputDirectory>${project.build.directory}/security-reports</outputDirectory>
<!-- JUnit report for CI integration -->
<junitFailOnCVSS>7</junitFailOnCVSS>
<!-- SARIF for GitHub Code Scanning -->
<enableSarif>true</enableSarif>
</configuration>
</plugin>
2. Custom Report Templates
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>8.4.2</version>
<configuration>
<!-- Custom report template -->
<reportFormat>HTML</reportFormat>
<reportTemplate>templates/custom-report.vm</reportTemplate>
<!-- Custom stylesheet -->
<stylesheet>templates/custom-stylesheet.css</stylesheet>
</configuration>
</plugin>
3. Monitoring and Alerting
#!/bin/bash
# dependency-monitor.sh
PROJECT_NAME="my-application"
CVSS_THRESHOLD=7.0
SLACK_WEBHOOK="https://hooks.slack.com/services/..."
# Run dependency check
mvn org.owasp:dependency-check-maven:check -DfailBuildOnCVSS=$CVSS_THRESHOLD
# Check for high severity vulnerabilities
if [ $? -ne 0 ]; then
VULNERABILITIES=$(grep -o '"name":"[^"]*"' target/dependency-check-report.json | wc -l)
# Send Slack alert
curl -X POST -H 'Content-type: application/json' \
--data "{\"text\":\"🚨 $VULNERABILITIES high-severity vulnerabilities found in $PROJECT_NAME!\"}" \
$SLACK_WEBHOOK
# Send email notification
echo "High severity vulnerabilities found in $PROJECT_NAME" | mail -s "Dependency Check Alert" [email protected]
fi

Best Practices

1. Regular Scanning Schedule
#!/bin/bash
# weekly-dependency-scan.sh
# Update vulnerability database
mvn org.owasp:dependency-check-maven:update-only
# Scan all projects
for project in */pom.xml; do
echo "Scanning $(dirname $project)"
mvn -f $project org.owasp:dependency-check-maven:check \
-DfailBuildOnCVSS=4 \
-DsuppressionFile=security/dependency-check-suppressions.xml
done
# Generate consolidated report
mvn org.owasp:dependency-check-maven:aggregate \
-Dproject=All-Projects \
-DscanSet="*/pom.xml"
2. Dependency Management Strategy
<!-- Maven BOM for dependency management -->
<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.example</groupId>
<artifactId>security-bom</artifactId>
<version>1.0.0</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<!-- Security-focused BOM -->
<project>
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>security-bom</artifactId>
<version>1.0.0</version>
<packaging>pom</packaging>
<dependencyManagement>
<dependencies>
<!-- Secure versions of commonly used dependencies -->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.20.0</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.15.2</version>
</dependency>
</dependencies>
</dependencyManagement>
</project>
3. Automated Remediation
// Gradle task for auto-remediation
task updateVulnerableDependencies {
doLast {
def vulnerableDeps = []
// Parse dependency-check report
def report = new groovy.json.JsonSlurper().parse(file('build/reports/dependency-check-report.json'))
report.dependencies.each { dep ->
if (dep.vulnerabilities && dep.vulnerabilities.any { it.cvssv3.baseScore >= 7 }) {
vulnerableDeps << dep
}
}
// Update build.gradle with fixed versions
if (vulnerableDeps) {
def buildFile = file('build.gradle')
def content = buildFile.text
vulnerableDeps.each { dep ->
def currentVersion = // extract current version
def fixedVersion = // find fixed version
content = content.replaceAll("${dep.name}:${currentVersion}", "${dep.name}:${fixedVersion}")
}
buildFile.text = content
println "Updated ${vulnerableDeps.size()} vulnerable dependencies"
}
}
}

Troubleshooting

1. Common Issues and Solutions
# Database locked error
rm ~/.dependency-check/dc.h2.db
# Out of memory error
export MAVEN_OPTS="-Xmx4g -Xms1g"
# SSL certificate issues
mvn org.owasp:dependency-check-maven:check -Dnss.disable=true
# Proxy configuration
mvn org.owasp:dependency-check-maven:check \
-Dproxy.server=proxy.company.com \
-Dproxy.port=8080 \
-Dproxy.username=user \
-Dproxy.password=pass
2. Debug Mode
# Enable debug logging
mvn org.owasp:dependency-check-maven:check -X -Dlogging.level.org.owasp=DEBUG
# Generate verbose output
mvn org.owasp:dependency-check-maven:check -Dverbose=true
# Save debug information
mvn org.owasp:dependency-check-maven:check -Ddebug.archive=true

Conclusion

OWASP Dependency-Check provides:

  • Comprehensive vulnerability detection for Java dependencies
  • Multiple integration options (Maven, Gradle, CLI)
  • Flexible configuration and customization
  • CI/CD pipeline integration
  • Enterprise-grade reporting and monitoring

By implementing the configurations and strategies shown above, you can create a robust dependency vulnerability management system that identifies security issues early, enforces security standards, and maintains the security posture of your Java applications throughout their lifecycle.

Secure Java Dependency Management, Vulnerability Scanning & Software Supply Chain Protection (SBOM, SCA, CI Security & License Compliance)

https://macronepal.com/blog/github-code-scanning-in-java-complete-guide/
Explains GitHub Code Scanning for Java using tools like CodeQL to automatically analyze source code and detect security vulnerabilities directly inside CI/CD pipelines before deployment.

https://macronepal.com/blog/license-compliance-in-java-comprehensive-guide/
Explains software license compliance in Java projects, ensuring dependencies follow legal requirements (MIT, Apache, GPL, etc.) and preventing license violations in enterprise software.

https://macronepal.com/blog/container-security-for-java-uncovering-vulnerabilities-with-grype/
Explains using Grype to scan Java container images and filesystems for known CVEs in OS packages and application dependencies to improve container security.

https://macronepal.com/blog/syft-sbom-generation-in-java-comprehensive-software-bill-of-materials-for-jvm-applications/
Explains using Syft to generate SBOMs (Software Bill of Materials) for Java applications, listing all dependencies, libraries, and components for supply chain transparency.

https://macronepal.com/blog/comprehensive-dependency-analysis-generating-and-scanning-sboms-with-trivy-for-java/
Explains using Trivy to generate SBOMs and scan Java dependencies and container images for vulnerabilities, integrating security checks into CI/CD pipelines.

https://macronepal.com/blog/dependabot-for-java-in-java/
Explains GitHub Dependabot for Java projects, which automatically detects vulnerable dependencies and creates pull requests to update them securely.

https://macronepal.com/blog/parasoft-jtest-in-java-comprehensive-guide-to-code-analysis-and-testing/
Explains Parasoft Jtest, a static analysis and testing tool for Java that helps detect bugs, security issues, and code quality problems early in development.

https://macronepal.com/blog/snyk-open-source-in-java-comprehensive-dependency-vulnerability-management-2/
Explains Snyk Open Source for Java, which continuously scans dependencies for vulnerabilities and provides automated fix suggestions and monitoring.

https://macronepal.com/blog/owasp-dependency-check-in-java-complete-vulnerability-scanning-guide/
Explains OWASP Dependency-Check, which scans Java dependencies against the National Vulnerability Database (NVD) to detect known security vulnerabilities.

https://macronepal.com/blog/securing-your-dependencies-a-java-developers-guide-to-whitesource-mend-bolt/
Explains Mend (WhiteSource) Bolt for Java, a dependency management and SCA tool that provides vulnerability detection, license compliance, and security policy enforcement in enterprise environments.

Category : JAVA

Leave a Reply

Your email address will not be published. Required fields are marked *


Macro Nepal Helper