Home

Awesome

sbt-dependency-check Build Status Codacy Badge Apache 2.0 License

The sbt-dependency-check plugin allows projects to monitor dependent libraries for known, published vulnerabilities (e.g. CVEs). The plugin achieves this by using the awesome OWASP DependencyCheck library which already offers several integrations with other build and continuous integration systems. For more information on how OWASP DependencyCheck works and how to read the reports check the project's documentation.

Table of contents

Getting started

sbt-dependency-check is an AutoPlugin. Simply add the plugin to project/plugins.sbt file.

addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % "5.1.0")

Use sbt-dependency-check v2.0.0 or higher as previous versions aren't compatible with NVD feeds anymore. Starting with sbt-dependency-check v3.0.0 sbt v0.13.x is no longer supported.

Usage

Tasks

TaskDescriptionCommand
dependencyCheckRuns dependency-check against the current project, its aggregates and dependencies and generates a report for each project.$ sbt dependencyCheck
dependencyCheckAggregateRuns dependency-check against the current project, its aggregates and dependencies and generates a single report in the current project's output directory.$ sbt dependencyCheckAggregate
dependencyCheckAnyProjectRuns dependency-check against all projects, aggregates and dependencies and generates a single report in the current project's output directory.$ sbt dependencyCheckAnyProject
dependencyCheckUpdateOnlyUpdates the local cache of the NVD data from NIST.$ sbt dependencyCheckUpdateOnly
dependencyCheckPurgeDeletes the local copy of the NVD. This is used to force a refresh of the data.$ sbt dependencyCheckPurge
dependencyCheckListSettingsPrints all settings and their values for the project.$ sbt dependencyCheckListSettings

The reports will be written to the default location crossTarget.value. This can be overwritten by setting dependencyCheckOutputDirectory. See Configuration for details.

Note: The first run might take a while as the full data from the National Vulnerability Database (NVD) hosted by NIST: https://nvd.nist.gov has to be downloaded and imported into the database. Later runs will only download change sets unless the last update was more than 7 days ago. It is recommended to set up a mirror of the NVD feed in your local network to reduce the risk of rate limiting. See https://github.com/stevespringett/nist-data-mirror for instructions.

Configuration

sbt-dependency-check uses the default configuration of OWASP DependencyCheck. You can override them in your build.sbt files. Use the task dependencyCheckListSettings to print all available settings and their values to sbt console.

SettingDescriptionDefault Value
dependencyCheckAutoUpdateSets whether auto-updating of the NVD CVE/CPE, retireJS and hosted suppressions data is enabled. It is not recommended that this be turned to false.true
dependencyCheckCveValidForHoursSets the number of hours to wait before checking for new updates from the NVD.4
dependencyCheckFailBuildOnCVSSSpecifies if the build should be failed if a CVSS score above, or equal to, a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. More information on CVSS scores can be found at the NVD11.0
dependencyCheckJUnitFailBuildOnCVSSIf using the JUNIT report format the dependencyCheckJUnitFailOnCVSS sets the CVSS score threshold that is considered a failure. The default value is 0 - all vulnerabilities are considered a failure.0
dependencyCheckFormatThe report format to be generated (HTML, XML, JUNIT, CSV, JSON, SARIF, JENKINS, ALL). This setting is ignored if dependencyCheckReportFormats is set.HTML
dependencyCheckFormatsA sequence of report formats to be generated (HTML, XML, JUNIT, CSV, JSON, SARIF, JENKINS, ALL).
dependencyCheckOutputDirectoryThe location to write the report(s).crossTarget.value e.g. ./target/scala-2.11
dependencyCheckScanSetAn optional sequence of files that specify additional files and/or directories to analyze as part of the scan. If not specified, defaults to standard scala conventions (see SBT documentation for details)./src/main/resources
dependencyCheckSkipSkips the dependency-check analysisfalse
dependencyCheckSkipTestScopeSkips analysis for artifacts with Test Scopetrue
dependencyCheckSkipRuntimeScopeSkips analysis for artifacts with Runtime Scopefalse
dependencyCheckSkipProvidedScopeSkips analysis for artifacts with Provided Scopefalse
dependencyCheckSkipOptionalScopeSkips analysis for artifacts with Optional Scopefalse
dependencyCheckSuppressionFilesThe sequence of file paths to the XML suppression files - used to suppress false positives. See Suppressing False Positives for the file syntax.
dependencyCheckCpeStartsWithThe starting String to identify the CPEs that are qualified to be imported.
dependencyCheckHintsFileThe file path to the XML hints file - used to resolve false negatives.
dependencyCheckUseSbtModuleIdAsGavUse the SBT ModuleId as GAV identifier. Ensures GAV is available even if Maven Central isn't.false
dependencyCheckAnalysisTimeoutSet the analysis timeout in minutes20
dependencyCheckEnableExperimentalEnable the experimental analyzers. If not enabled the experimental analyzers (see below) will not be loaded or used.false
dependencyCheckEnableRetiredEnable the retired analyzers. If not enabled retired analyzers will not be loaded or used.false

Analyzer Configuration

The following properties are used to configure the various file type analyzers. These properties can be used to turn off specific analyzers if it is not needed. Note, that specific analyzers will automatically disable themselves if no file types that they support are detected - so specifically disabling them may not be needed. For more information about the individual analyzers see the DependencyCheck Analyzer documentation.

SettingDescriptionDefault Value
dependencyCheckArchiveAnalyzerEnabledSets whether the Archive Analyzer will be used.true
dependencyCheckZipExtensionsA comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.
dependencyCheckJarAnalyzerEnabledSets whether Jar Analyzer will be used.true
dependencyCheckDartAnalyzerEnabledSets whether the experimental Dart analyzer is enabled. dependencyCheckEnableExperimental must be set to true.true
dependencyCheckKnownExploitedEnabledSets whether the Known Exploited Vulnerability update and analyzer are enabled.true
dependencyCheckKnownExploitedUrlSets URL to the CISA Known Exploited Vulnerabilities JSON data feed.https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
dependencyCheckKnownExploitedValidForHoursSet the interval in hours until the next check for CISA Known Exploited Vulnerabilities JSON data feed is performed.24
dependencyCheckCentralAnalyzerEnabledSets whether Central Analyzer will be used. If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below).false
dependencyCheckCentralAnalyzerUseCacheSets whether the Central Analyer will cache results. Cached results expire after 30 days.true
dependencyCheckOSSIndexAnalyzerEnabledSets whether the OSS Index Analyzer will be enabled.true
dependencyCheckOSSIndexAnalyzerUrlURL of the Sonatype OSS Index service.https://ossindex.sonatype.org
dependencyCheckOSSIndexAnalyzerUseCacheSets whether the OSS Index Analyzer will cache results. Cached results expire after 24 hours.true
dependencyCheckOSSIndexAnalyzerUsernameThe optional username to use for the Sonatype OSS Index service. Note: an account with OSS Index is not required.
dependencyCheckOSSIndexAnalyzerPasswordThe optional password to use for the Sonatype OSS Index service.
dependencyCheckOSSIndexWarnOnlyOnRemoteErrorsSets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution.false
dependencyCheckNexusAnalyzerEnabledSets whether Nexus Analyzer will be used. This analyzer is superseded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation.false
dependencyCheckNexusUrlDefines the Nexus Server’s web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled.https://repository.sonatype.org/service/local/
dependencyCheckNexusUsesProxyWhether or not the defined proxy should be used when connecting to Nexus.true
dependencyCheckNexusUserThe username to authenticate to the Nexus Server's web service end point. If not set the Nexus Analyzer will use an unauthenticated connection.
dependencyCheckNexusPasswordThe password to authenticate to the Nexus Server's web service end point. If not set the Nexus Analyzer will use an unauthenticated connection.
dependencyCheckPyDistributionAnalyzerEnabledSets whether the experimental Python Distribution Analyzer will be used. dependencyCheckEnableExperimental must be set to true.true
dependencyCheckPyPackageAnalyzerEnabledSets whether the experimental Python Package Analyzer will be used. dependencyCheckEnableExperimental must be set to true.true
dependencyCheckRubygemsAnalyzerEnabledSets whether the experimental Ruby Gemspec Analyzer will be used. dependencyCheckEnableExperimental must be set to true.true
dependencyCheckOpensslAnalyzerEnabledSets whether or not the openssl Analyzer should be used. dependencyCheckEnableExperimental must be set to true.true
dependencyCheckCmakeAnalyzerEnabledSets whether or not the experimental CMake Analyzer should be used. dependencyCheckEnableExperimental must be set to true.true
dependencyCheckAutoconfAnalyzerEnabledSets whether or not the experimental autoconf Analyzer should be used. dependencyCheckEnableExperimental must be set to true.true
dependencyCheckMavenInstallAnalyzerEnabledSets whether or not the Maven install Analyzer should be used.true
dependencyCheckPipAnalyzerEnabledSets whether or not the experimental pip Analyzer should be used. dependencyCheckEnableExperimental must be set to true.true
dependencyCheckPipfileAnalyzerEnabledSets whether or not the experimental Pipfile Analyzer should be used dependencyCheckEnableExperimental must be set to true.true
dependencyCheckPoetryAnalyzerEnabledSets whether or not the experimental Poetry Analyzer should be used dependencyCheckEnableExperimental must be set to true.true
dependencyCheckComposerAnalyzerEnabledSets whether or not the experimental PHP Composer Lock File Analyzer should be used. dependencyCheckEnableExperimental must be set to true.true
dependencyCheckCpanFileAnalyzerEnabledSets whether or not the experimental Perl CPAN File Analyzer should be used. dependencyCheckEnableExperimental must be set to true.true
dependencyCheckNodeAnalyzerEnabledSets whether or not the retired Node.js Analyzer should be used.false
dependencyCheckNodePackageSkipDevDependenciesSets whether the Node.js Analyzer will skip devDependencies.false
dependencyCheckNodeAuditAnalyzerEnabledSets whether or not the Node Audit Analyzer should be used.true
dependencyCheckNodeAuditSkipDevDependenciesSets whether the Node Audit Analyzer will skip devDependencies.false
dependencyCheckNodeAuditAnalyzerUrlSets the The Node Audit API URL for the Node Audit Analyzer. If not set uses default URL.https://registry.npmjs.org/-/npm/v1/security/audits
dependencyCheckNodeAuditAnalyzerUseCacheSets whether the Node Audit Analyzer will cache results. Cached results expire after 24 hours.true
dependencyCheckNPMCPEAnalyzerEnabledSets whether the or not the experimental NPM CPE Analyzer should be used. dependencyCheckEnableExperimental must be set to true.true
dependencyCheckYarnAuditAnalyzerEnabledSets whether the Yarn Audit Analyzer should be used. This analyzer requires yarn and an internet connection. Use dependencyCheckNodeAuditSkipDevDependencies to skip dev dependencies.true
dependencyCheckPathToYarnSets the path to the Yarn executable.
dependencyCheckPNPMAuditAnalyzerEnabledSets whether the Pnpm Audit Analyzer is enabled. This analyzer requires pnpm and an internet connection. Use nodeAuditSkipDevDependencies to skip dev dependencies.true
dependencyCheckPathToPNPMSets the path to the pnpm executable.
dependencyCheckNuspecAnalyzerEnabledSets whether or not the .NET Nuget Nuspec Analyzer will be used.true
dependencyCheckNugetConfAnalyzerEnabledSets whether the experimental .NET Nuget packages.config Analyzer will be used. dependencyCheckEnableExperimental must be set to true.false
dependencyCheckCocoapodsEnabledSets whether or not the experimental Cocoapods Analyzer should be used. dependencyCheckEnableExperimental must be set to true.true
dependencyCheckMixAuditAnalyzerEnabledSets whether or not the experimental Mix Audit Analyzer should be used. dependencyCheckEnableExperimental must be set to true.tue
dependencyCheckMixAuditPathSets the path to the mix_audit executable; only used if mix audit analyzer is enabled and experimental analyzers are enabled.
dependencyCheckSwiftEnabledSets whether or not the experimental Swift Package Manager Analyzer should be used. dependencyCheckEnableExperimental must be set to true.true
dependencyCheckSwiftPackageResolvedAnalyzerEnabledSets whether or not the experimental Swift Package Resolved Analyzer should be used. dependencyCheckEnableExperimental must be set to true.true
dependencyCheckBundleAuditEnabledSets whether or not the experimental Ruby Bundle Audit Analyzer should be used. dependencyCheckEnableExperimental must be set to true.true
dependencyCheckPathToBundleAuditThe path to Ruby Bundle Audit.
dependencyCheckBundleAuditWorkingDirectorySets the path for the working directory that the Ruby Bundle Audit binary should be executed from.
dependencyCheckAssemblyAnalyzerEnabledSets whether or not the .NET Assembly Analyzer should be used.true
dependencyCheckMSBuildAnalyzerEnabledSets whether the MSBuild Analyzer should be used.true
dependencyCheckPathToDotNETCoreThe path to .NET Core for .NET assembly analysis on non-windows systems.
dependencyCheckPEAnalyzerEnabledSets whether or not the experimental PE Analyzer that reads the PE headers of DLL and EXE files should be used. dependencyCheckEnableExperimental must be set to true.true
dependencyCheckRetireJSAnalyzerEnabledSets whether or not the RetireJS Analyzer should be used.true
dependencyCheckRetireJSForceUpdateSets whether the RetireJS Analyzer should update regardless of the ´dependencyCheckAutoUpdate´ setting.true
dependencyCheckRetireJSAnalyzerRepoJSUrlSet the URL to the RetireJS repository. Note the file name must be jsrepository.jsonhttps://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json
dependencyCheckRetireJsAnalyzerRepoUserUsername for authentication to connect to RetireJS URL.
dependencyCheckRetireJsAnalyzerRepoPasswordPassword for authentication to connect to RetireJS URL.
dependencyCheckRetireJsAnalyzerRepoValidForSet the interval in hours until the next check for CVEs updates is performed by the RetireJS analyzer24
dependencyCheckRetireJsAnalyzerFiltersSet one or more filters for the RetireJS analyzer.
dependencyCheckRetireJsAnalyzerFilterNonVulnerableSets whether or not the RetireJS analyzer should filter non-vulnerable dependenciesfalse
dependencyCheckArtifactoryAnalyzerEnabledSets whether or not the JFrog Artifactory analyzer will be usedfalse
dependencyCheckArtifactoryAnalyzerUrlThe Artifactory server URL.
dependencyCheckArtifactoryAnalyzerUseProxySets whether Artifactory should be accessed through a proxy or not.false
dependencyCheckArtifactoryAnalyzerParallelAnalysisSets whether the Artifactory analyzer should be run in parallel or not.true
dependencyCheckArtifactoryAnalyzerUsernameThe user name (only used with API token) to connect to Artifactory instance.
dependencyCheckArtifactoryAnalyzerApiTokenThe API token to connect to Artifactory instance. Note: These settings should not be added to your local build.sbt file and commited to your code repository for security reasons. They can be added to ~/.sbt/<version>/global.sbt file instead
dependencyCheckArtifactoryAnalyzerBearerTokenThe bearer token to connect to Artifactory instance. Note: These settings should not be added to your local build.sbt file and commited to your code repository for security reasons. They can be added to ~/.sbt/<version>/global.sbt file instead
dependencyCheckGolangDepEnabledSets whether or not the experimental Golang Dependency Analyzer should be used. dependencyCheckEnableExperimental must be set to true.true
dependencyCheckGolangModEnabledSets whether or not the experimental Golang Module Analyzer should be used. Requires go to be installed. dependencyCheckEnableExperimental must be set to true.true
dependencyCheckPathToGoThe path to the "go" runtime.

Advanced Configuration

The following properties can be configured in the plugin. However, they are less frequently changed. One exception may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment.

SettingDescriptionDefault Value
dependencyCheckCveUrlModifiedURL for the modified CVE JSON data feed. When mirroring the NVD you must mirror the *.json.gz and the *.meta files. Optional if your custom dependencyCheckCveUrlBase is just a domain name change.https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz
dependencyCheckCveUrlBaseBase URL for each year's CVE JSON data feed, the %d will be replaced with the year.https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz
dependencyCheckCveUserThe username used when connecting to the dependencyCheckCveUrlBase.
dependencyCheckCvePasswordThe password used when connecting to the dependencyCheckCveUrlBase.
dependencyCheckCveWaitTimeThe time in milliseconds to wait between downloads from the NVD.4000
dependencyCheckCveStartYearThe first year of NVD CVE data to download from the NVD.2002
dependencyCheckConnectionTimeoutSets the URL Connection Timeout (in milliseconds) used when downloading external data.
dependencyCheckConnectionReadTimeoutSets the URL Read Timeout (in milliseconds) used when downloading external data.
dependencyCheckDataDirectorySets the data directory to hold SQL CVEs contents. This should generally not be changed.[JAR]\data
dependencyCheckDatabaseDriverNameThe name of the database driver. Example: org.h2.Driver.org.h2.Driver
dependencyCheckDatabaseDriverPathThe path to the database driver JAR file; only used if the driver is not in the class path.
dependencyCheckConnectionStringThe connection string used to connect to the database, the %s will be replace with a name for the databasejdbc:h2:file:%s;AUTOCOMMIT=ON;MV_STORE=FALSE;
dependencyCheckDatabaseUserThe username used when connecting to the database.dcuser
dependencyCheckDatabasePasswordThe password used when connecting to the database.
dependencyCheckHostedSuppressionsEnabledWhether the hosted suppression file will be used.true
dependencyCheckHostedSuppressionsForceUpdateWhether the hosted suppressions file will update regardless of the dependencyCheckAutoUpdate setting.false
dependencyCheckHostedSuppressionsUrlThe URL to a mirrored copy of the hosted suppressions file for internet-constrained environments.https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml
dependencyCheckHostedSuppressionsValidForHoursSets the number of hours to wait before checking for new updates from the NVD.2

Multi-Project setup

Use either Global or ThisBuild scope if you want to define a setting for all projects. Define on the project level if you want to diverge from the default or Global/ThisBuild setting for a specific project.

build.sbt


Global / dependencyCheckFormats := Seq("HTML", "JSON")

lazy val root = (project in file("."))
  .aggregate(core)
  .settings(
	libraryDependencies += "com.github.t3hnar" %% "scala-bcrypt" % "2.6" % "test",
	dependencyCheckSkipTestScope := false
  )

lazy val util = (project in file("util"))
  .settings(
    libraryDependencies += "commons-beanutils" % "commons-beanutils" % "1.9.1"
  )

lazy val core = project.dependsOn(util)
  .settings(
    libraryDependencies += "org.apache.commons" % "commons-collections4" % "4.1" % "runtime",
    dependencyCheckSkip := true
  )

Almost all settings are only evaluated for the project you are executing the task on, not for each individual sub-project. The exemption that are supported to work for aggregate() and dependsOn() projects, are the scope skipping settings:

You should set these individually for each project if necessary.

Changing Log Level

Add the following to your build.sbt file to increase the log level from default info to e.g. debug.

logLevel in dependencyCheck := Level.Debug

and add -Dlog4j2.level=debug when running a check:

sbt -Dlog4j2.level=debug dependencyCheck

Replace dependencyCheck with the right task name that you use for your project.

Global Plugin Configuration

If you want to apply some default configuration for all your SBT projects you can add them as Global Settings:

  1. Add the plugin to ~/.sbt/1.0/plugins/sbt-dependency-check.sbt

    addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % "5.1.0")
    
  2. Add settings at ~/.sbt/1.0/global.sbt using their fully qualified name (including package and nested object structure). E.g.

    net.vonbuchholtz.sbt.dependencycheck.DependencyCheckPlugin.autoImport.dependencyCheckFormat := "All"
    

For further information about global settings and plugins check the sbt documentation: https://www.scala-sbt.org/1.x/docs/Global-Settings.html

Running behind a proxy

SBT and sbt-dependency-check both honor the standard http and https proxy settings for the JVM.

sbt -Dhttp.proxyHost=proxy.example.com \
    -Dhttp.proxyPort=3218 \
    -Dhttp.proxyUser=username \
    -Dhttp.proxyPassword=password \
    -DnoProxyHosts="localhost|http://www.google.com" \
    dependencyCheck

Development

Release

Run release task and follow instructions. Verify that release reached Maven Central. It takes up to two additional hours to be indexed for https://search.maven.org.

License

Copyright (c) 2016-2022 Alexander Baron v. Buchholtz

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.