Test dependency-check.

https://jeremylong.github.io/DependencyCheck/index.html

https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html

1. Run mvn verify -DskipTests=true
2. Open target/dependency-check-report.html

https://jeremylong.github.io/DependencyCheck/dependency-check-maven/check-mojo.html

1. Run mvn org.owasp:dependency-check-maven:3.1.1:check --format=ALL -f pom.xml
2. Open target/dependency-check-report.html

Note taking all config properties as command line arguments

dependency-check --project "demo" --scan . --cveUrl12Modified https://nvd.nist.gov/feeds/xml/cve/1.2/nvdcve-modified.xml.gz --cveUrl20Modified=https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-modified.xml.gz --cveUrl12Base=https://nvd.nist.gov/feeds/xml/cve/1.2/nvdcve-%d.xml.gz --cveUrl20Base=https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-%d.xml.gz

• Not detecting Maven/POM CPEs.

Only runs online, sending package.json to nsp. https://github.com/jeremylong/DependencyCheck/blob/master/core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java https://github.com/jeremylong/DependencyCheck/blob/master/core/src/main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java

https://github.com/nodesecurity/nsp

1. npm install -g nsp
2. nsp gather - downloads advisories for offline checking
3. nsp check --offline --advisories advisories.json