OWASP dependency-check contains several file type analyzers that are used to extract identification information from the files analyzed.
| Analyzer | File Types Scanned | Analysis Method |
|---|---|---|
| Archive | Zip archive format (*.zip, *.ear, *.war, *.jar, *.sar, *.apk, *.nupkg); Tape Archive Format (*.tar); Gzip format (*.gz, *.tgz); Bzip2 format (*.bz2, *.tbz2) | Extracts archive contents, then scans contents with all available analyzers. |
| Assembly | .NET Assemblies (*.exe, *.dll) | Uses GrokAssembly.exe, which requires .NET Framework or Mono runtime to be installed. |
| Autoconf | Autoconf project configuration files (configure, configure.in, configure.ac) | Regex scan for AC_INIT metadata, including in generated configuration script. |
| Central | Java archive files (*.jar) | Searches Maven Central or a configured Nexus repository for the file’s SHA1 hash. |
| CMake | CMake project files (CMakeLists.txt) and scripts (*.cmake) | Regex scan for project initialization and version setting commands. |
| Composer Lock | PHP Composer Lock files (composer.lock) | Parses PHP Composer lock files for exact versions of dependencies. |
| Jar | Java archive files (*.jar); Web application archive (*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). |
| Nexus | Java archive files (*.jar) | Searches Sonatype or a configured Nexus repository for the file’s SHA1 hash. In most cases, superceded by Central . |
| Node.js | NPM package specification files (package.json) | Parse JSON format for metadata. |
| Nuspec | Nuget package specification file (*.nuspec) | Uses XPath to parse specification XML. |
| OpenSSL | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. |
| Python | Python source files (*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (*.whl, *.egg, *.zip) | Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts. |
| Ruby Gemspec | Ruby makefiles (Rakefile); Ruby Gemspec files (*.gemspec) | Regex scan Gemspec initialization blocks for metadata. |
