mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-13 23:33:37 +01:00
23 lines
1.1 KiB
Plaintext
23 lines
1.1 KiB
Plaintext
About:
|
|
DependencyCheck is a utility that attempts to detect publically disclosed
|
|
vulnerabilities contained within project dependencies. It does this by determining
|
|
if there is a Common Platform Enumeration (CPE) identifier for a given dependency.
|
|
If found, it will generate a report linking to the associated CVE entries.
|
|
|
|
Usage:
|
|
$ mvn package
|
|
$ cd target
|
|
$ java -jar DependencyCheck-0.2.0.jar -h
|
|
$ java -jar DependencyCheck-0.2.0.jar -a Testing -out . -scan ./test-classes/org.mortbay.jetty.jar -scan ./test-classes/struts2-core-2.1.2.jar -scan ./lib
|
|
|
|
Then load the resulting 'Testing.html' into your favorite browser.
|
|
|
|
Important note - DependencyCheck should be run to analyze a project at least once every week.
|
|
The reason for this is that it downloads data from the National Vulnerability Database hosted
|
|
by NIST. If more then a week goes by without DependencyCheck updating the data, a full update
|
|
can take an 90 minutes or more (a lot of data needs to be downloaded and processed).
|
|
|
|
Author: Jeremy Long (jeremy.long@gmail.com)
|
|
|
|
Copyright (c) 2012 Jeremy Long. All Rights Reserved.
|