How do I scan my application with OWASP Dependency-Check on the command line?
Question
I would like to scan my application to find out potential vulnerabilties with libraries and frameworks I am using. How do I scan with OWASP Dependency-Check on the command line?
Answer
OWASP offers a free, open-source tool called Dependency-Check that can be used to scan applications in wide variety of programming languages and environments to identify known vulnerabilities (e.g. Common Vulnerabilities and Exposures or CVE). This tool can be freely downloaded from OWASP here. If you wish to scan using the command line, download the “Command line” version of the tool. Installation instructions can be found on the OWASP site here.
Once installed, on Windows for example the batch script can be called on a directory that contains your code, build files, and dependencies. For example:
dependency-check.bat --project "MyApp" --scan "C:\Code\src"
You can additionally define the output file and format, generate log files, or perform other more advanced tasks using additional options on the command line. For example, to generate an HTML report and a log file, the following command could be used:
dependency-check.bat --project "MyApp" --scan "C:\Code\src" --format "HTML" --out "C:\Reports\dep-check" --log "C:\Logs\dep-check.log"