src/site/markdown/dependency-check-gradle/configuration.md
| Task | Description |
|---|---|
| dependencyCheckAnalyze | Runs dependency-check against the project and generates a report. |
| dependencyCheckAggregate | Runs dependency-check against a multi-project build and generates a report. |
| dependencyCheckUpdate | Updates the local cache of the NVD data from NIST. |
| dependencyCheckPurge | Deletes the local copy of the NVD. This is used to force a refresh of the data. |
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath 'org.owasp:dependency-check-gradle:${project.version}'
}
}
apply plugin: 'org.owasp.dependencycheck'
check.dependsOn dependencyCheckAnalyze
| Property | Description | Default Value |
|---|---|---|
| autoUpdate | Sets whether auto-updating of the NVD API CVE data is enabled. It is not recommended that this be turned to false. | true |
| analyzedTypes | The default artifact types that will be analyzed. | ['jar', 'aar', 'js', 'war', 'ear', 'zip'] |
| format | The report format to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL). | HTML |
| formats | A list of report formats to be generated (HTML, XML, CSV, JSON, JUNIT, SARIF, JENKINS, GITLAB, ALL). | |
| junitFailOnCVSS | If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure. | 0 |
| failBuildOnCVSS | Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified. The default is 11; since the CVSS scores are 0-10, by default the build will never fail. More information on CVSS scores can be found at the NVD | 11 |
| failOnError | Fails the build if an error occurs during the dependency-check analysis. | true |
| outputDirectory | The location to write the report(s). This directory will be located in the build directory. | ${buildDir}/reports |
| skipTestGroups | When set to true (the default) all dependency groups that being with 'test' will be skipped. | true |
| suppressionFile | The file path to the XML suppression file - used to suppress false positives. The configured value can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/dependency-check/DependencyCheck/issues/1878#issuecomment-487533799) | |
| suppressionFiles | A list of file paths to the XML suppression files - used to suppress false positives. The configured values can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/dependency-check/DependencyCheck/issues/1878#issuecomment-487533799) | |
| failBuildOnUnusedSuppressionRule | Specifies that if any unused suppression rule is found, the build will fail. This is best combined with a Gradle CLI --warn arg or org.gradle.logging.level=warn property so the unused rules are logged before task failure. | false |
| hintsFile | The file path to the XML hints file - used to resolve false negatives | |
| skip | If set to true dependency-check analysis will be skipped. | false |
| skipConfigurations | A list of configurations that will be skipped. This is mutually exclusive with the scanConfigurations property. | [] which means no configuration is skipped. |
| scanConfigurations | A list of configurations that will be scanned, all other configurations are skipped. This is mutually exclusive with the skipConfigurations property. | [] which implicitly means all configurations get scanned. |
| scanProjects | A list of projects that will be scanned, all other projects are skipped. The list or projects to skip must include a preceding colon: scanProjects = [':app']. This is mutually exclusive with the skipProjects property. | [] which implicitly means all projects get scanned. |
| skipProjects | A list of projects that will be skipped. The list or projects to skip must include a preceding colon: skipProjects = [':sub1']. This is mutually exclusive with the scanProjects property. | [] which means no projects are skipped. |
| scanBuildEnv | A boolean indicating whether to scan the buildEnv. | false |
| scanDependencies | A boolean indicating whether to scan the dependencies. | true |
| scanSet | A list of directories that will be scanned for additional dependencies. | ['src/main/resources','src/main/webapp', './package.json', './package-lock.json', './npm-shrinkwrap.json', './Gopkg.lock', './go.mod'] |
dependencyCheck {
autoUpdate = false
format = 'ALL'
}
Please see https://docs.gradle.org/current/userguide/build_environment.html#sec:accessing_the_web_via_a_proxy
The following properties can be configured in the dependencyCheck task. However, they are less frequently changed.
| Config Group | Property | Description | Default Value |
|---|---|---|---|
| showSummary | Whether to print the summary of found vulnerabilities after completion. | true | |
| suppressionFileUser | Credentials used for basic authentication for web-hosted suppression files | ||
| suppressionFilePassword | Credentials used for basic authentication for web-hosted suppression files | ||
| suppressionFileBearerToken | Credentials used for bearer authentication for web-hosted suppression files | ||
| nvd | apiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key | |
| nvd | endpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0 |
| nvd | maxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10 |
| nvd | delay | The number of milliseconds to wait between calls to the NVD API. | 3500 with an NVD API Key or 8000 without an API Key |
| nvd | resultsPerPage | The number records for a single page from NVD API (must be <=2000). | 2000 |
| nvd | datafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/open-vulnerability-cli/blob/main/README.md#mirroring-the-nvd-cve-data | |
| nvd | datafeedUser | Credentials used for basic authentication for the NVD API Data feed. | |
| nvd | datafeedPassword | Credentials used for basic authentication for the NVD API Data feed. | |
| nvd | datafeedBearerToken | Credentials used for bearer authentication for the NVD API Data feed. | |
| nvd | validForHours | The number of hours to wait before checking for new updates from the NVD. | 4 |
| data | directory | Sets the data directory to hold SQL CVEs contents. This should generally not be changed. | |
| data | driver | The database driver full classname; note, only needs to be set if the driver is not JDBC4 compliant or the JAR is outside of the class path. | |
| data | driverPath | The path to the database driver JAR file; only needs to be set if the driver is not in the class path. | |
| data | connectionString | The connection string used to connect to the database. See using a database server. | |
| data | username | The username used when connecting to the database. | |
| data | password | The password used when connecting to the database. | |
| slack | enabled | Whether or not slack notifications are enabled. | false |
| slack | webhookUrl | The custom incoming webhook URL to receive notifications. Note that the current implementation only notifies about build failures so this should be used in combination with failBuildOnCVSS. | |
| hostedSuppressions | enabled | Whether the hosted suppressions file will be used. | true |
| hostedSuppressions | forceupdate | Sets whether hosted suppressions file will update regardless of the autoupdate setting. | false |
| hostedSuppressions | url | The URL to a mirrored copy of the hosted suppressions file for internet-constrained environments. | https://dependency-check.github.io/DependencyCheck/suppressions/publishedSuppressions.xml |
| hostedSuppressions | user | Credentials used for basic authentication for the hosted suppressions file. | |
| hostedSuppressions | password | Credentials used for basic authentication for the hosted suppressions file. | |
| hostedSuppressions | bearerToken | Credentials used for bearer authentication for the hosted suppressions file. | |
| hostedSuppressions | validForHours | The number of hours to wait before checking for new updates of the hosted suppressions file . | 2 |
| cache | ossIndex | Sets whether the OSS Index Analyzer will cache results. Cached results expire after 24 hours. | true |
| cache | central | Sets whether the Central Analyzer will cache results. Cached results expire after 30 days. | true |
| cache | nodeAudit | Sets whether the Node Audit Analyzer should cache results locally. Cached results expire after 24 hours. | true |
dependencyCheck {
data.directory = 'd:/nvd'
}
In addition to the above, the dependencyCheck plugin can be configured to enable or disable specific
analyzers by configuring the analyzers section. Note, specific file type analyzers will automatically
disable themselves if no file types that they support are detected - so specifically disabling the
analyzers is likely not needed.
| Config Group | Property | Description | Default Value |
|---|---|---|---|
| analyzers | experimentalEnabled | Sets whether the experimental analyzers will be used. If not set to true the analyzers marked as experimental (see below) will not be used | false |
| analyzers | archiveEnabled | Sets whether the Archive Analyzer will be used. | true |
| analyzers | zipExtensions | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | |
| analyzers | jarEnabled | Sets whether Jar Analyzer will be used. | true |
| analyzers | dartEnabled | Sets whether the experimental Dart Analyzer will be used. experimentalEnabled must be set to true. | true |
| analyzers | centralEnabled | Sets whether Central Analyzer will be used. If you have non-Gradle-managed jar dependencies inside archives or non-Java ecosystem dependencies, you may want to enable this analyzer (or the alternative Nexus/Artifactory analyzers) to reduce chance of false negatives. | false |
| analyzers | pyDistributionEnabled | Sets whether the experimental Python Distribution Analyzer will be used. experimentalEnabled must be set to true. | true |
| analyzers | pyPackageEnabled | Sets whether the experimental Python Package Analyzer will be used. experimentalEnabled must be set to true. | true |
| analyzers | rubygemsEnabled | Sets whether the experimental Ruby Gemspec Analyzer will be used. experimentalEnabled must be set to true. | true |
| analyzers | opensslEnabled | Sets whether the openssl Analyzer should be used. | true |
| analyzers | nuspecEnabled | Sets whether the .NET Nuget Nuspec Analyzer will be used. | true |
| analyzers | nugetconfEnabled | Sets whether the experimental .NET Nuget packages.config Analyzer will be used. experimentalEnabled must be set to true. | true |
| analyzers | assemblyEnabled | Sets whether the .NET Assembly Analyzer should be used. | true |
| analyzers | msbuildEnabled | Sets whether the MS Build Analyzer should be used. | true |
| analyzers | pathToDotnet | The path to dotnet core - needed on some systems to analyze .net assemblies. | |
| analyzers | cmakeEnabled | Sets whether the experimental CMake Analyzer should be used. experimentalEnabled must be set to true. | true |
| analyzers | autoconfEnabled | Sets whether the experimental autoconf Analyzer should be used. experimentalEnabled must be set to true. | true |
| analyzers | composerEnabled | Sets whether the experimental PHP Composer Lock File Analyzer should be used. experimentalEnabled must be set to true. | true |
| analyzers | composerSkipDev | Sets whether the experimental PHP Composer Lock File Analyzer should skip "packages-dev". | false |
| analyzers | cpanEnabled | Sets whether the experimental Perl CPAN File Analyzer should be used. experimentalEnabled must be set to true. | true |
| analyzers | cocoapodsEnabled | Sets whether the experimental Cocoapods Analyzer should be used. experimentalEnabled must be set to true. | true |
| analyzers | carthageEnabled | Sets whether the experimental Carthage Analyzer should be used. experimentalEnabled must be set to true. | true |
| analyzers | swiftEnabled | Sets whether the experimental Swift Package Manager Analyzer should be used. experimentalEnabled must be set to true. | true |
| analyzers | swiftPackageResolvedEnabled | Sets whether the experimental Swift Package Resolved Analyzer should be used. experimentalEnabled must be set to true. | true |
| analyzers | bundleAuditEnabled | Sets whether the Ruby Bundle Audit Analyzer should be used. | true |
| analyzers | pathToBundleAudit | The path to bundle audit. | |
| analyzers | golangDepEnabled | Sets whether the experimental Golang Dependency Analyzer should be used. experimentalEnabled must be set to true. | true |
| analyzers | golangModEnabled | Sets whether the experimental Goland Module Analyzer should be used; requires go to be installed. experimentalEnabled must be set to true. | true |
| analyzers | pathToGo | The path to go. |
Within the analyzers group, the following sub-groups are configurable.
| Config Group | Property | Description | Default Value |
|---|---|---|---|
| nexus | enabled | Sets whether Nexus Analyzer will be used. This analyzer is an alternative to the Central or Artifactory Analyzers, allowing retrieval from Sonatype Nexus installations. | false |
| nexus | url | Defines the Nexus web service endpoint (example http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled. | |
| nexus | usesProxy | Whether the defined proxy should be used when connecting to Nexus. | true |
| nexus | user | The username to authenticate to the Nexus Server's web service end point. If not set the Nexus Analyzer will use an unauthenticated connection. | |
| nexus | password | The password to authenticate to the Nexus Server's web service end point. If not set the Nexus Analyzer will use an unauthenticated connection. | |
| artifactory | enabled | Sets whether Artifactory analyzer will be used. This analyzer is an alternative to the Central or Nexus Analyzers, allowing metadata retrieval from Artifactory installations. | false |
| artifactory | url | The Artifactory server URL. | |
| artifactory | usesProxy | Whether Artifactory should be accessed through a proxy or not. | false |
| artifactory | parallelAnalysis | Whether the Artifactory analyzer should be run in parallel or not. | true |
| artifactory | username | The user name (only used with API token) to connect to Artifactory instance. | |
| artifactory | apiToken | The API token to connect to Artifactory instance, only used if the username or the API key are not defined by artifactoryAnalyzerServerId,artifactoryAnalyzerUsername or artifactoryAnalyzerApiToken | |
| artifactory | bearerToken | The bearer token to connect to Artifactory instance. | |
| kev | enabled | Sets whether the Known Exploited Vulnerability update and analyzer are enabled. | true |
| kev | url | The URL to (a mirror of) the CISA Known Exploited Vulnerabilities JSON data feed. | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json |
| kev | user | Credentials used for basic authentication for the CISA Known Exploited Vulnerabilities JSON data feed. | |
| kev | password | Credentials used for basic authentication for the CISA Known Exploited Vulnerabilities JSON data feed. | |
| kev | bearerToken | Credentials used for bearer authentication for the CISA Known Exploited Vulnerabilities JSON data feed. | |
| kev | validForHours | The number of hours to wait before checking for new updates of the hosted suppressions file . | 2 |
| nodePackage | enabled | Sets whether the Node Package Analyzer should be used. | true |
| nodePackage | skipDevDependencies | Sets whether the Node Package Analyzer will skip devDependencies. | false |
| nodeAudit | enabled | Sets whether the Node Audit Analyzer should be used. This analyzer requires an internet connection. | true |
| nodeAudit | useCache | Sets whether the Node Audit Analyzer should cache results locally. Cached results expire after 24 hours. | true |
| nodeAudit | skipDevDependencies | Sets whether the Node Audit Analyzer should skip devDependencies. | false |
| nodeAudit | pnpmEnabled | Sets whether the Pnpm Audit Analyzer should be used. This analyzer requires yarn and an internet connection. | true |
| nodeAudit | pnpmPath | Sets the path to the pnpm executable. | |
| nodeAudit | yarnEnabled | Sets whether the Yarn Audit Analyzer should be used. This analyzer requires yarn and an internet connection. | true |
| nodeAudit | yarnPath | Sets the path to the yarn executable. | |
| nodeAudit | pnpmEnabled | Sets whether the Pnpm Audit Analyzer should be used. This analyzer requires pnpm and an internet connection. | true |
| nodeAudit | pnpmPath | The path to pnpm. | |
| nodeAudit | url | The node audit API url to use. | |
| retirejs | enabled | Sets whether the RetireJS Analyzer should be used. | true |
| retirejs | forceupdate | Sets whether the RetireJS Analyzer should update regardless of the autoupdate setting. | false |
| retirejs | retireJsUrl | The URL to the Retire JS repository. | https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json |
| retirejs | user | Credentials used for basic authentication for the Retire JS repository URL. | |
| retirejs | password | Credentials used for basic authentication for the Retire JS repository URL. | |
| retirejs | bearerToken | Credentials used for bearer authentication for the Retire JS repository URL. | |
| retirejs | filterNonVulnerable | Configures the RetireJS Analyzer to remove non-vulnerable JS dependencies from the report. | false |
| retirejs | filters | Configures the list of regular expressions used to filter JS files based on content. | |
| ossIndex | enabled | Sets whether the OSS Index Analyzer will be used. This analyzer requires an internet connection, and authentication is mandatory. | true |
| ossIndex | url | Alternative base URL for the OSS Index API. If not set the public Sonatype OSS Index API on Sonatype Guide will be used. | https://api.guide.sonatype.com |
| ossIndex | username | (deprecated) Sets the OSS Index API username for use with legacy OSS Index API tokens. Username is not required after migration to using Sonatype Guide personal access token as password. | |
| ossIndex | password | Sets the Sonatype Guide personal access token or (deprecated) legacy OSS Index API token to authenticate with. | |
| ossIndex | validForHours | The number of hours to wait before checking for new updates on individual packages/components from Sonatype OSS Index | 24 |
| ossIndex | warnOnlyOnRemoteErrors | Sets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution. | false |
dependencyCheck {
analyzers.assemblyEnabled = false
analyzers.artifactory.enabled = true
analyzers.artifactory.url = 'https://internal.artifactory.url'
analyzers.retirejs.filters = ['(i)copyright Jeremy Long']
analyzers.ossIndex.password = 'sonatype_pat_42cc601cd7ff12a531a0b1eada8dcf56d777b336'
}