dependency-check-core
Used in:
components
- OverviewOverview
- VersionsVersions
- DependentsDependents
- DependenciesDependencies
<dependency>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-core</artifactId>
<version>12.1.1</version>
</dependency><!--
This file is part of dependency-check-core.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Copyright (c) 2012 Jeremy Long. All Rights Reserved.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-parent</artifactId>
<version>12.1.1</version>
</parent>
<artifactId>dependency-check-core</artifactId>
<packaging>jar</packaging>
<name>Dependency-Check Core</name>
<description>dependency-check-core is the engine and reporting tool used to identify and report if there are any known, publicly disclosed vulnerabilities in the scanned project's dependencies. The engine extracts meta-data from the dependencies and uses this to do fuzzy key-word matching against the Common Platfrom Enumeration (CPE), if any CPE identifiers are found the associated Common Vulnerability and Exposure (CVE) entries are added to the generated report.</description>
<scm>
<connection>scm:git:https://github.com/dependency-check/DependencyCheck.git</connection>
<url>https://github.com/dependency-check/DependencyCheck/tree/main/core</url>
<developerConnection>scm:git:git@github.com/dependency-check/DependencyCheck.git</developerConnection>
<tag>v12.1.1</tag>
</scm>
<build>
<resources>
<resource>
<directory>src/main/resources</directory>
<includes>
<include>**/*.properties</include>
<include>**/schema/*.xsd</include>
</includes>
<filtering>true</filtering>
</resource>
<resource>
<directory>${basedir}/src/main/resources/templates</directory>
<targetPath>templates</targetPath>
<excludes>
<exclude>csvReport.vsl</exclude>
</excludes>
<filtering>true</filtering>
</resource>
<resource>
<directory>${basedir}/src/main/resources/templates</directory>
<targetPath>templates</targetPath>
<includes>
<include>csvReport.vsl</include>
</includes>
<filtering>false</filtering>
</resource>
<resource>
<directory>${basedir}/..</directory>
<targetPath>META-INF</targetPath>
<includes>
<include>LICENSE.txt</include>
<include>NOTICE.txt</include>
</includes>
</resource>
<resource>
<directory>src/main/resources</directory>
<excludes>
<exclude>**/*.properties</exclude>
<exclude>**/*.gif</exclude>
<exclude>**/*.js</exclude>
<exclude>**/schema/**/*.xsd</exclude>
<exclude>**/schema/**/*.xml</exclude>
<exclude>**/schema/**/*.bat</exclude>
<exclude>**/schema/**/*.sh</exclude>
</excludes>
<filtering>false</filtering>
</resource>
</resources>
<testResources>
<testResource>
<directory>src/test/resources</directory>
<includes>
<include>**/*.properties</include>
</includes>
<filtering>true</filtering>
</testResource>
<testResource>
<directory>${basedir}/../src/test/resources</directory>
<filtering>false</filtering>
</testResource>
<testResource>
<directory>${basedir}/src/test/resources</directory>
<filtering>false</filtering>
</testResource>
</testResources>
<plugins>
<plugin>
<groupId>org.jsonschema2pojo</groupId>
<artifactId>jsonschema2pojo-maven-plugin</artifactId>
<executions>
<!-- <execution>
<id>generate-nvd</id>
<phase>generate-sources</phase>
<goals>
<goal>generate</goal>
</goals>
<configuration>
<sourceDirectory>${basedir}/src/main/resources/schema/external/nvd</sourceDirectory>
<outputDirectory>${project.build.directory}/generated-sources/java</outputDirectory>
<includeGetters>true</includeGetters>
<annotationStyle>jackson</annotationStyle>
<targetPackage>org.owasp.dependencycheck.data.nvd.json</targetPackage>
</configuration>
</execution>-->
<execution>
<id>generate-knownexploited</id>
<phase>generate-sources</phase>
<goals>
<goal>generate</goal>
</goals>
<configuration>
<includeGeneratedAnnotation>false</includeGeneratedAnnotation>
<sourceDirectory>${basedir}/src/main/resources/schema/external/cisa</sourceDirectory>
<outputDirectory>${project.build.directory}/generated-sources/java</outputDirectory>
<includeGetters>true</includeGetters>
<annotationStyle>jackson</annotationStyle>
<targetPackage>org.owasp.dependencycheck.data.knownexploited.json</targetPackage>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<configuration>
<excludes>${project.build.directory}/generated-sources/java/**/*.java</excludes>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<executions>
<execution>
<phase>generate-resources</phase>
<goals>
<goal>copy-dependencies</goal>
</goals>
<configuration>
<outputDirectory>${project.build.directory}/test-classes</outputDirectory>
<includeScope>test</includeScope>
<excludeArtifactIds>dependency-check-utils</excludeArtifactIds>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-resources-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<executions>
<execution>
<id>test-jar</id>
<phase>package</phase>
<goals>
<goal>test-jar</goal>
</goals>
<configuration>
<includes>
<include>**/*.class</include>
</includes>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
<dependencies>
<dependency>
<groupId>io.github.jeremylong</groupId>
<artifactId>open-vulnerability-clients</artifactId>
</dependency>
<dependency>
<groupId>org.anarres.jdiagnostics</groupId>
<artifactId>jdiagnostics</artifactId>
</dependency>
<dependency>
<groupId>org.whitesource</groupId>
<artifactId>pecoff4j</artifactId>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-jcs3-core</artifactId>
</dependency>
<dependency>
<groupId>io.github.jeremylong</groupId>
<artifactId>jcs3-slf4j</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>com.github.package-url</groupId>
<artifactId>packageurl-java</artifactId>
</dependency>
<dependency>
<groupId>us.springett</groupId>
<artifactId>cpe-parser</artifactId>
</dependency>
<dependency>
<groupId>org.semver4j</groupId>
<artifactId>semver4j</artifactId>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</dependency>
<!-- Set this to test so that each project that uses this has to have its own implementation of SLF4J -->
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-core</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-utils</artifactId>
<version>${project.parent.version}</version>
</dependency>
<dependency>
<groupId>org.apache.lucene</groupId>
<artifactId>lucene-test-framework</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-collections4</artifactId>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-text</artifactId>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-dbcp2</artifactId>
</dependency>
<dependency>
<groupId>org.apache.lucene</groupId>
<artifactId>lucene-core</artifactId>
</dependency>
<dependency>
<groupId>org.apache.lucene</groupId>
<artifactId>lucene-analysis-common</artifactId>
</dependency>
<dependency>
<groupId>org.apache.lucene</groupId>
<artifactId>lucene-queryparser</artifactId>
</dependency>
<dependency>
<groupId>org.apache.velocity</groupId>
<artifactId>velocity-engine-core</artifactId>
</dependency>
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.glassfish</groupId>
<artifactId>jakarta.json</artifactId>
</dependency>
<dependency>
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.datatype</groupId>
<artifactId>jackson-datatype-jsr310</artifactId>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.module</groupId>
<artifactId>jackson-module-blackbird</artifactId>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.dataformat</groupId>
<artifactId>jackson-dataformat-yaml</artifactId>
</dependency>
<dependency>
<groupId>com.h3xstream.retirejs</groupId>
<artifactId>retirejs-core</artifactId>
</dependency>
<dependency>
<groupId>org.sonatype.ossindex</groupId>
<artifactId>ossindex-service-client</artifactId>
</dependency>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
</dependency>
<dependency>
<groupId>com.moandjiezana.toml</groupId>
<artifactId>toml4j</artifactId>
<version>0.7.2</version>
</dependency>
<dependency>
<groupId>com.hankcs</groupId>
<artifactId>aho-corasick-double-array-trie</artifactId>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>commons-validator</groupId>
<artifactId>commons-validator</artifactId>
</dependency>
<dependency>
<groupId>org.eclipse.packager</groupId>
<artifactId>packager-rpm</artifactId>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents.core5</groupId>
<artifactId>httpcore5</artifactId>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents.client5</groupId>
<artifactId>httpclient5</artifactId>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-annotations</artifactId>
</dependency>
<dependency>
<groupId>org.sonatype.goodies</groupId>
<artifactId>package-url-java</artifactId>
<version>1.2.0</version>
</dependency>
<dependency>
<groupId>joda-time</groupId>
<artifactId>joda-time</artifactId>
<version>2.14.0</version>
</dependency>
<dependency>
<groupId>org.sonatype.ossindex</groupId>
<artifactId>ossindex-service-api</artifactId>
<version>1.8.2</version>
</dependency>
<dependency>
<groupId>com.esotericsoftware</groupId>
<artifactId>minlog</artifactId>
<version>1.3.1</version>
</dependency>
<dependency>
<groupId>com.vaadin.external.google</groupId>
<artifactId>android-json</artifactId>
<version>0.0.20131108.vaadin1</version>
</dependency>
<dependency>
<groupId>xml-apis</groupId>
<artifactId>xml-apis</artifactId>
<version>1.4.01</version>
<scope>test</scope>
</dependency>
</dependencies>
<profiles>
<profile>
<id>TestMavenPlugin-core</id>
<activation>
<property>
<name>testMavenPlugin</name>
</property>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<skip>true</skip>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
<configuration>
<skip>true</skip>
</configuration>
</plugin>
</plugins>
</build>
</profile>
<profile>
<id>MySQL-IntegrationTest</id>
<activation>
<property>
<name>mysql</name>
</property>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
<configuration>
<systemPropertyVariables>
<data.driver_path>${driver_path}</data.driver_path>
<data.driver_name>${driver_name}</data.driver_name>
<data.connection_string>${connection_string}</data.connection_string>
</systemPropertyVariables>
<includes>
<include>**/*MySqlIT.java</include>
</includes>
</configuration>
<executions>
<execution>
<goals>
<goal>integration-test</goal>
<goal>verify</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
<profile>
<id>Postgresql-IntegrationTest</id>
<activation>
<property>
<name>postgresql</name>
</property>
</activation>
<dependencies>
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
<version>42.7.5</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
<configuration>
<systemPropertyVariables>
<data.driver_path>${driver_path}</data.driver_path>
<data.driver_name>${driver_name}</data.driver_name>
<data.connection_string>${connection_string}</data.connection_string>
</systemPropertyVariables>
<includes>
<include>**/*MySqlIT.java</include>
</includes>
</configuration>
<executions>
<execution>
<goals>
<goal>integration-test</goal>
<goal>verify</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
<profile>
<id>test-dependencies</id>
<!-- dependencies required for unit and integration tests -->
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<build>
<pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<version>${maven-dependency-plugin.version}</version>
<configuration>
<usedDependencies combine.children="append">
<!-- dependencies to be copied for use in unit/integration testcases are, due to
lack of a test-runtime scope, configured as test-scoped / optional and should be
considered used for dependency:analyze-report -->
<usedDependency>org.springframework:spring-webmvc</usedDependency>
<usedDependency>org.mortbay.jetty:jetty</usedDependency>
<usedDependency>net.sf.ehcache:ehcache-core</usedDependency>
<usedDependency>com.google.inject:guice</usedDependency>
<usedDependency>org.apache.struts:struts2-core</usedDependency>
<usedDependency>xalan:xalan</usedDependency>
<usedDependency>com.hazelcast:hazelcast</usedDependency>
<usedDependency>commons-fileupload:commons-fileupload</usedDependency>
<usedDependency>org.jslipc:jslipc</usedDependency>
<usedDependency>com.thoughtworks.xstream:xstream</usedDependency>
<usedDependency>org.dojotoolkit:dojo-war</usedDependency>
<usedDependency>org.apache.openjpa:openjpa</usedDependency>
<usedDependency>uk.ltd.getahead:dwr</usedDependency>
<usedDependency>org.glassfish.main.admingui:war</usedDependency>
<usedDependency>org.springframework.retry:spring-retry</usedDependency>
<usedDependency>io.github.faob-dev:aar</usedDependency>
<usedDependency>org.apache.maven.scm:maven-scm-provider-cvsexe</usedDependency>
<usedDependency>org.apache.axis2:axis2-spring</usedDependency>
<usedDependency>org.apache.geronimo.daytrader:daytrader-ear</usedDependency>
<usedDependency>org.springframework.security:spring-security-web</usedDependency>
<usedDependency>org.apache.axis2:axis2-adb</usedDependency>
</usedDependencies>
</configuration>
</plugin>
</plugins>
</pluginManagement>
</build>
<dependencies>
<!-- The following dependencies are only used during testing
and must not be converted to a properties based version number -->
<dependency>
<groupId>io.github.faob-dev</groupId>
<artifactId>aar</artifactId>
<version>1.0.0</version>
<type>aar</type>
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.jslipc</groupId>
<artifactId>jslipc</artifactId>
<version>0.2.0</version>
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.apache.maven.scm</groupId>
<artifactId>maven-scm-provider-cvsexe</artifactId>
<version>1.8.1</version>
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>2.5.5</version>
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.0.0.RELEASE</version>
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>com.hazelcast</groupId>
<artifactId>hazelcast</artifactId>
<version>2.5</version>
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>net.sf.ehcache</groupId>
<artifactId>ehcache-core</artifactId>
<version>2.2.0</version>
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-core</artifactId>
<version>2.1.2</version>
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.mortbay.jetty</groupId>
<artifactId>jetty</artifactId>
<version>6.1.0</version>
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.apache.axis2</groupId>
<artifactId>axis2-spring</artifactId>
<version>1.4.1</version>
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.apache.axis2</groupId>
<artifactId>axis2-adb</artifactId>
<version>1.4.1</version>
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.apache.geronimo.daytrader</groupId>
<artifactId>daytrader-ear</artifactId>
<version>2.1.7</version>
<type>ear</type>
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.glassfish.main.admingui</groupId>
<artifactId>war</artifactId>
<version>4.0</version>
<type>war</type>
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.dojotoolkit</groupId>
<artifactId>dojo-war</artifactId>
<version>1.3.0</version>
<type>war</type>
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.apache.openjpa</groupId>
<artifactId>openjpa</artifactId>
<version>2.0.1</version>
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>com.google.inject</groupId>
<artifactId>guice</artifactId>
<version>3.0</version>
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.retry</groupId>
<artifactId>spring-retry</artifactId>
<version>1.1.0.RELEASE</version>
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>uk.ltd.getahead</groupId>
<artifactId>dwr</artifactId>
<version>1.1.1</version>
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>xalan</groupId>
<artifactId>xalan</artifactId>
<version>2.7.0</version>
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
<version>1.4.8</version>
<scope>test</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
<version>1.2.1</version>
<scope>test</scope>
<optional>true</optional>
</dependency>
</dependencies>
</profile>
</profiles>
</project>Open source consumption has exploded, with estimates placing this year’s downloads at over 6.6 trillion. This reliance on open source components, now making up to 90% of the modern software application, has ushered in both unprecedented innovation and complex challenges for software supply chains.
View the Report
