src/site/markdown/dependency-check-gradle/configuration-update.md
| Task | Description |
|---|---|
| dependencyCheckAnalyze | Runs dependency-check against the project and generates a report. |
| dependencyCheckAggregate | Runs dependency-check against a multi-project build and generates a report. |
| dependencyCheckUpdate | Updates the local cache of the NVD data from NIST. |
| dependencyCheckPurge | Deletes the local copy of the NVD. This is used to force a refresh of the data. |
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath 'org.owasp:dependency-check-gradle:${project.version}'
}
}
apply plugin: 'org.owasp.dependencycheck'
check.dependsOn dependencyCheckUpdate
| Property | Description | Default Value |
|---|---|---|
| failOnError | Fails the build if an error occurs during the dependency-check analysis. | true |
dependencyCheck {
failOnError = true
}
Please see https://docs.gradle.org/current/userguide/build_environment.html#sec:accessing_the_web_via_a_proxy
The following properties can be configured in the dependencyCheck task. However, they are less frequently changed.
| Config Group | Property | Description | Default Value |
|---|---|---|---|
| nvd | apiKey | The API Key to access the NVD API; obtained from https://nvd.nist.gov/developers/request-an-api-key | |
| nvd | endpoint | The NVD API endpoint URL; setting this is uncommon. | https://services.nvd.nist.gov/rest/json/cves/2.0 |
| nvd | maxRetryCount | The maximum number of retry requests for a single call to the NVD API. | 10 |
| nvd | delay | The number of milliseconds to wait between calls to the NVD API. | 3500 with an NVD API Key or 8000 without an API Key . |
| nvd | resultsPerPage | The number records for a single page from NVD API (must be <=2000). | 2000 |
| nvd | datafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/open-vulnerability-cli/blob/main/README.md#mirroring-the-nvd-cve-data | |
| nvd | datafeedUser | Credentials used for basic authentication for the NVD API Data feed. | |
| nvd | datafeedPassword | Credentials used for basic authentication for the NVD API Data feed. | |
| nvd | datafeedBearerToken | Credentials used for bearer authentication for the NVD API Data feed. | |
| nvd | validForHours | The number of hours to wait before checking for new updates from the NVD. | 4 |
| data | directory | Sets the data directory to hold SQL CVEs contents. This should generally not be changed. | ~/.gradle/dependency-check-data/ |
| data | driver | The database driver full classname; note, only needs to be set if the driver is not JDBC4 compliant or the JAR is outside of the class path. | |
| data | driverPath | The path to the database driver JAR file; only needs to be set if the driver is not in the class path. | |
| data | connectionString | The connection string used to connect to the database. See using a database server. | |
| data | username | The username used when connecting to the database. | |
| data | password | The password used when connecting to the database. | |
| hostedSuppressions | enabled | Whether the hosted suppressions file will be used. | true |
| hostedSuppressions | forceupdate | Sets whether hosted suppressions file will update regardless of the autoupdate setting. | false |
| hostedSuppressions | url | The URL to (a mirror of) the hosted suppressions file. | https://dependency-check.github.io/DependencyCheck/suppressions/publishedSuppressions.xml |
| hostedSuppressions | user | Credentials used for basic authentication for the hosted suppressions file. | |
| hostedSuppressions | password | Credentials used for basic authentication for the hosted suppressions file. | |
| hostedSuppressions | bearerToken | Credentials used for bearer authentication for the hosted suppressions file. | |
| hostedSuppressions | validForHours | The number of hours to wait before checking for new updates of the hosted suppressions file . | 2 |
dependencyCheck {
data.directory = 'd:/nvd'
}
Cached web datasources for several analyzers are configured inside the analyzers section with some properties
as the update task. In addition to the above, the update task can be customized for retrieval
of these resources by the following analyzer-specific properties underneath the analyzers section.
The subset of analyzers properties relevant to the update task are:
| Config Group | Property | Description | Default Value |
|---|---|---|---|
| kev | enabled | Sets whether the Known Exploited Vulnerability update and analyzer are enabled. | true |
| kev | url | The URL to (a mirror of) the CISA Known Exploited Vulnerabilities JSON data feed. | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json |
| kev | user | Credentials used for basic authentication for the CISA Known Exploited Vulnerabilities JSON data feed. | |
| kev | password | Credentials used for basic authentication for the CISA Known Exploited Vulnerabilities JSON data feed. | |
| kev | bearerToken | Credentials used for bearer authentication for the CISA Known Exploited Vulnerabilities JSON data feed. | |
| kev | validForHours | The number of hours to wait before checking for new updates of the hosted suppressions file . | 2 |
| retirejs | enabled | Sets whether the RetireJS Analyzer should be used. | true |
| retirejs | forceupdate | Sets whether the RetireJS Analyzer should update regardless of the autoupdate setting. | false |
| retirejs | retireJsUrl | The URL to the Retire JS repository. | https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json |
| retirejs | user | Credentials used for basic authentication for the Retire JS repository URL. | |
| retirejs | password | Credentials used for basic authentication for the Retire JS repository URL. | |
| retirejs | bearerToken | Credentials used for bearer authentication for the Retire JS repository URL. |
dependencyCheck {
analyzers.retirejs.enabled = false
}