Test dependency-check
.
https://jeremylong.github.io/DependencyCheck/index.html
https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html
- Run
mvn verify -DskipTests=true
- Open
target/dependency-check-report.html
https://jeremylong.github.io/DependencyCheck/dependency-check-maven/check-mojo.html
- Run
mvn org.owasp:dependency-check-maven:3.1.1:check --format=ALL -f pom.xml
- Open
target/dependency-check-report.html
Note taking all config properties as command line arguments
dependency-check --project "demo" --scan . --cveUrl12Modified https://nvd.nist.gov/feeds/xml/cve/1.2/nvdcve-modified.xml.gz --cveUrl20Modified=https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-modified.xml.gz --cveUrl12Base=https://nvd.nist.gov/feeds/xml/cve/1.2/nvdcve-%d.xml.gz --cveUrl20Base=https://nvd.nist.gov/feeds/xml/cve/2.0/nvdcve-2.0-%d.xml.gz
- Not detecting Maven/POM CPEs.
Only runs online, sending package.json to nsp. https://github.com/jeremylong/DependencyCheck/blob/master/core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java https://github.com/jeremylong/DependencyCheck/blob/master/core/src/main/java/org/owasp/dependencycheck/data/nsp/NspSearch.java
https://github.com/nodesecurity/nsp
npm install -g nsp
nsp gather
- downloads advisories for offline checkingnsp check --offline --advisories advisories.json