Repository files navigation

The dependency-check gradle plugin allows projects to monitor dependent libraries forknown, published vulnerabilities.

• The dependency-check-gradle plugin now requires Java 11 or higher.
• The dependency-check-gradle plugin will no longer be published to Maven Central; itwill continue to be published to the Gradle plugin portal.

Breaking Changes are included in the 9.0.0 release. Please see the9.0.0 Upgrade Noticeon the primary dependency-check site for more information.

With 9.0.0 users may encounter issues withNoSuchMethodError exceptions due todependency resolution. If you encounter this issue you will need to pin some ofthe transitive dependencies of dependency-check to specific versions. For example:

/buildSrc/build.gradle

dependencies {    constraints {// org.owasp.dependencycheck needs at least this version of jackson. Other plugins pull in older versions..        add("implementation","com.fasterxml.jackson:jackson-bom:2.18.3")// org.owasp.dependencycheck needs these versions. Other plugins pull in older versions..        add("implementation","org.apache.commons:commons-lang3:3.17.0")        add("implementation","org.apache.commons:commons-text:1.13.0")    }}

The latest version is 12.1.3.

Below are the quick start instructions. Please see thedocumentation sitefor more detailed information on configuration and usage.

Add the plugin to your build.gradle file:

plugins {  id"org.owasp.dependencycheck" version"12.1.3"}

Once gradle plugin applied, run following gradle task to check dependencies:

gradle dependencyCheckAnalyze --info

The reports will be generated automatically underbuild/reports directory.

If your project includes multiple sub-projects, the report will be generated for each sub-project in their ownbuild/reports.

Questions List:

• What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?
• How to customize the report directory?

Try put 'apply plugin: "dependency-check"' inside the 'allprojects' or 'subprojects' if you'd like to check all sub-projects only, see below:

(1) For all projects including root project:

buildscript {  repositories {    maven {      url"https://plugins.gradle.org/m2/"    }  }  dependencies {    classpath"org.owasp:dependency-check-gradle:12.1.3"  }}allprojects {    applyplugin:'org.owasp.dependencycheck'}

(2) For all sub-projects:

buildscript {  repositories {    maven {      url"https://plugins.gradle.org/m2/"    }  }  dependencies {    classpath"org.owasp:dependency-check-gradle:12.1.3"  }}subprojects {    applyplugin:'org.owasp.dependencycheck'}

In this way, the dependency check will be executed for all projects (including root project) or just sub projects.

For aggregate scan, apply the plugin either on the root project or alternatively if you multi-project build is libraries and an application you can apply the plugin on the application.

By default, all reports will be placed underbuild/reports folder, to change the default reporting folder name modify the configuration section like this:

subprojects {    applyplugin:'org.owasp.dependencycheck'    dependencyCheck {        outputDirectory="$buildDir/security-report"    }}

plugins {    id("org.owasp.dependencycheck") version"12.1.3" applyfalse}allprojects {apply(plugin="org.owasp.dependencycheck")}configure<org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension> {    format= org.owasp.dependencycheck.reporting.ReportGenerator.Format.ALL.toString()}