OWASP Dependency-Check

OWASP Dependency-Check is a Software Composition Analysis (SCA) tool that detects publicly disclosed vulnerabilities in application dependencies. Developed by Jeremy Long as an OWASP (Open Web Application Security Project) flagship project, it scans project dependencies (libraries, packages, modules) and cross-references them against the National Vulnerability Database (NVD) maintained by NIST, identifying known CVEs (Common Vulnerabilities and Exposures) associated with specific library versions. The tool supports multiple ecosystems: Java (Maven, Gradle, Ant, JAR analysis via byte code scanning), .NET (NuGet packages, .NET Core project.json), Node.js (package-lock.json, npm-shrinkwrap.json, yarn.lock), Python (pip requirements.txt, Poetry, Pipfile, setup.py), Ruby (Gemfile.lock), Go (go.mod), PHP (composer.lock), C/C++ (conan), Swift (Package.resolved), Android (build.gradle dependencies), and mixed ecosystems via manual pom.xml or build.gradle analysis. Key features include: automatic download and caching of NVD CVE data feeds (updated daily), suppression rules for false positive management (XML or annotations), dependency analysis with CPE (Common Platform Enumeration) mapping for accurate vulnerability matching, evidence collection from JAR manifests, Gradle metadata, npm metadata, and other package descriptors, HTML, JSON, XML, CSV, SARIF, and JUnit report generation for CI/CD integration, Maven plugin and Gradle plugin for build-time scanning, Jenkins plugin for pipeline integration, command-line interface for standalone usage, and the NVD API 2.0 for faster vulnerability data retrieval. As of 2026, version 11.x scans against the full NVD database containing over 290,000 CVEs.