Acunetix
Web vulnerability scanner for automated security testing of websites and web apps
Dependency-Check
Detect known vulnerabilities in project dependencies automatically.
Dependency-Check scans project libraries, maps them to CPE identifiers, and reports associated CVEs, helping teams identify and remediate known security flaws across multiple ecosystems.
Overview
Overview
Dependency-Check is a Software Composition Analysis tool that examines a project's dependencies, resolves them to Common Platform Enumeration (CPE) identifiers, and generates reports linking to known CVE entries. It supports a wide range of ecosystems by leveraging external tools such as dotnet, go, npm, yarn, pnpm, and bundle-audit.
Integration & Deployment
The scanner runs on Java 11+ and can be invoked via a command‑line interface, Maven, Gradle, Ant, or the Jenkins plugin, making it suitable for local development and CI/CD pipelines. Access to the NVD API (recommended with an API key) provides up‑to‑date vulnerability data, while a local H2 database caches results to reduce repeated network calls. Users must ensure internet connectivity and appropriate build‑tool installations for the languages they target.
Highlights
CPE‑based detection links dependencies to official CVE records
Direct integration with Maven, Gradle, Ant, and Jenkins
Supports .NET, Go, JavaScript, Ruby, Elixir, and more via external analyzers
Local H2 cache reduces repeated NVD queries
Pros
- Comprehensive vulnerability coverage using NVD data
- Free and open‑source with extensive plugin ecosystem
- Configurable for CI/CD environments
- Works across many programming languages
Considerations
- Requires Java 11 and internet access
- NVD API rate limits can affect large CI fleets
- CPE mapping may produce occasional false positives
- No native GUI; interaction is via CLI or build plugins
Managed products teams compare with
When teams consider Dependency-Check, these hosted platforms usually appear on the same shortlist.
Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.
Fit guide
Great for
- Development teams needing automated dependency security checks
- Security auditors performing library vulnerability assessments
- CI/CD pipelines that must fail builds on new CVEs
- Organizations looking for a free, extensible SCA solution
Not ideal when
- Environments without reliable internet connectivity
- Projects constrained to Java versions older than 11
- Teams that cannot manage NVD API rate‑limit constraints
- Use cases requiring real‑time container image scanning
How teams use it
CI Build Validation
Builds automatically fail when newly discovered CVEs are found in dependencies.
Legacy Application Audit
Generate a detailed report of outdated libraries and associated vulnerabilities for remediation planning.
Automated Dependency Updates
Identify vulnerable components and prioritize version upgrades across the codebase.
Compliance Reporting
Produce an inventory of CVEs for regulatory audits and security certifications.
Tech snapshot
Java97%
PLSQL1%
Groovy1%
PLpgSQL1%
TSQL1%
Shell1%
Frequently asked questions
Do I need an NVD API key?
An API key is highly recommended; without it updates are extremely slow and may hit rate limits.
What Java version is required?
Java 11 or newer is mandatory for Dependency-Check 11.0.0 and later.
Can Dependency-Check scan Docker images?
Scanning Docker images is not natively supported; you would need to extract the filesystem and scan the contained libraries.
How can I mitigate NVD rate‑limit issues in CI?
Use a shared local cache, stagger builds, or obtain multiple API keys for parallel pipelines.
Is there a graphical user interface?
No built‑in GUI; interaction is through the CLI or integration plugins.
Project at a glance
Active- Stars
- 7,396
- Watchers
- 7,396
- Forks
- 1,392
LicenseApache-2.0
Repo age13 years old
Last commityesterday
Primary languageJava
Last synced 3 hours ago