Open Source
Dependency-Check is an open-source tool, which means it is freely accessible and can be modified and distributed by anyone under the terms of its license.
OWASP Backing
Being a project under the OWASP umbrella, Dependency-Check benefits from a reputable organization dedicated to improving software security, ensuring quality and reliability.
Comprehensive Vulnerability Database
It uses the National Vulnerability Database (NVD) and other sources to identify known vulnerabilities, providing a wide coverage of potential threats across dependencies.
Integration Capabilities
Dependency-Check can be easily integrated with various CI/CD pipelines, IDEs, and build tools, enhancing its usability across different environments and workflows.
Multiple Formats Support
It supports scanning dependencies from multiple formats like Maven, Gradle, and Jenkins, accommodating diverse project setups.
We have collected here some useful links to help you find out if Dependency-Check is good.
Check the traffic stats of Dependency-Check on SimilarWeb. The key metrics to look for are: monthly visits, average visit duration, pages per visit, and traffic by country. Moreoever, check the traffic sources. For example "Direct" traffic is a good sign.
Check the "Domain Rating" of Dependency-Check on Ahrefs. The domain rating is a measure of the strength of a website's backlink profile on a scale from 0 to 100. It shows the strength of Dependency-Check's backlink profile compared to the other websites. In most cases a domain rating of 60+ is considered good and 70+ is considered very good.
Check the "Domain Authority" of Dependency-Check on MOZ. A website's domain authority (DA) is a search engine ranking score that predicts how well a website will rank on search engine result pages (SERPs). It is based on a 100-point logarithmic scale, with higher scores corresponding to a greater likelihood of ranking. This is another useful metric to check if a website is good.
The latest comments about Dependency-Check on Reddit. This can help you find out how popualr the product is and what people think about it.
Snyk Open Source competes primarily with Dependabot (GitHub's free dependency scanner), OWASP Dependency-Check, Mend Renovate, and Black Duck. - Source: dev.to / 4 months ago
OWASP Dependency-Check free and CI-friendly, perfect for catching risky libraries early. - Source: dev.to / 9 months ago
9 Finally, before committing to integrating the package, if there are any doubts it might be worth checking the package with the OWASP Dependency Checker. - Source: dev.to / 10 months ago
OWASP Dependency-Check represents the leading open-source tool for dependency vulnerability scanning. - Source: dev.to / 10 months ago
OWASP Dependency Check is a tool that analyzes dependencies and checks for known issues. You can access it through the following link: Https://owasp.org/www-project-dependency-check. - Source: dev.to / about 2 years ago
To detect these types of vulnerabilities, we should first and foremost know our dependencies and versions, and which of them have vulnerabilities. The OWASP Top 10 2021 identifies this need as A06:2021-Vulnerable and Outdated Components. OWASP has several tools for this, including Dependency Check and Dependency Track. These tools will warn about the use of components with vulnerabilities. - Source: dev.to / over 2 years ago
You can scan your code repositories using OWASP Dependency-Check within a Harness pipeline. Within the gar-build-and-push stage, click on + Add Step โ Add Step before the BuildAndPushGAR step. From the step library, find Owasp under the Security Tests section. - Source: dev.to / over 2 years ago
Build tools, ie Maven, can provide information about available updates (ie mvn versions:display-dependency-updates) also it may be usefull to check your dependencies againts know voulnerabillities (ie Https://owasp.org/www-project-dependency-check/). Source: over 3 years ago
In this article we looked at the functionality on the Amazon Inspector for AWS Lambda functions, how the scanning functions can be activated. After that we looked into scan results and what information it provides to us to remediate the detected vulnerabilities. Of course there are other tools available in this area like OWASP Dependency-Check or Snyk which are mostly designed to be integrated in CI/CD process.... - Source: dev.to / over 3 years ago
Cloud security vulnerabilities are a significant concern and they come in many shapes and sizes. One type of vulnerability that is particularly concerning is code dependency vulnerabilities. These vulnerabilities arise when an application or system relies on a third-party code library or module that contains a security flaw. If this flaw is not discovered and addressed, it can be exploited by attackers to gain... - Source: dev.to / over 3 years ago
OWASP Dependency-Check a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries. We can also publish our SBOM report to Dependency-Track and... - Source: dev.to / almost 4 years ago
Put a dependency check in your builds. Raise build errors when something is bad. Have it build on a regular basis (could be every month)... And then fix things. https://owasp.org/www-project-dependency-check/ And some examples - https://jeremylong.github.io/DependencyCheck/dependency-check-maven/. - Source: Hacker News / almost 4 years ago
Use a tool like OWASP Dependency-Check to detect high-risk CVEs in your dependencies. Source: about 4 years ago
I use OpenCVE for alerts but it doesn't have everything for full coverage we have whitesource hooked into our CI pipelines. OWASP dependency check is a free alternative: https://owasp.org/www-project-dependency-check/. Source: about 4 years ago
This one has proved very useful - OWASP dependency checker - downloads the NVD and crosschecks any CVEs to dependencies you use: https://owasp.org/www-project-dependency-check/. Source: over 4 years ago
Make sure you know what you are running on your platform. The Software Bill of Materials (SBoM) describes all the various software components on which your system is based. If you keep an active track of your SBoM with tools like OWASP dependencyTrack, it becomes easier to know whether software you are using is vulnerable. Additionally there are great open-source tools, like the OWASP Dependency Checker, Trivy,... - Source: dev.to / over 4 years ago
Project site: https://owasp.org/www-project-dependency-check/. Source: over 4 years ago
When I started working with Scala, it really surprised me how the JVM world deals with dependencies (include an upstream jar directly in the project, as opposed to the Linux distro model where you use your distributor packages so you have security and bug fixes). I'm a big fan of Dependency Check[1]. There are hosted services that can give you security scans, but if you don't have access to that (some have a cost)... - Source: Hacker News / over 4 years ago
The first option we have studied is the approach used in OWASP Dependency Check. The approach is simple โ for each dependency, this utility searches for a corresponding identifier in the CPE (Common Platform Enumeration) database. In fact, the CPE database is a list with information about products, their versions, vendors, and so on. To implement SCA, we must obtain CPE and CVE correspondences. Thus, getting a CVE... - Source: dev.to / over 4 years ago
In order to prevent this issue, your organization needs to implement regular checks of your dependencies against the CVE database for known vulnerabilities, as well as establishing a process for keeping all dependencies up-to-date. Fortunately, much of this can be automated using vulnerability scanning tools, such as the OWASP Dependency Check, RetireJS, or Brakeman. Additional tools, such as WhiteSource's... - Source: dev.to / about 5 years ago
Consider using tools such as OWASP Dependency Check, License Plugin or even more complex tools such as Black Duck. - Source: dev.to / about 5 years ago
Do you know an article comparing Dependency-Check to other products?
Suggest a link to a post with product alternatives.
Is Dependency-Check good? This is an informative page that will help you find out. Moreover, you can review and discuss Dependency-Check here. The primary details have not been verified within the last quarter, and they might be outdated. If you think we are missing something, please use the means on this page to comment or suggest changes. All reviews and comments are highly encouranged and appreciated as they help everyone in the community to make an informed choice. Please always be kind and objective when evaluating a product and sharing your opinion.