Conduct Software Composition Analysis (SCA) using OWASP Dependency Check

In this blog, we will see what OWASP Dependency Check is and how to use it to identify vulnerable Open-Source libraries.

So first, we will see what is OWASP Dependency check?

OWASP Dependency Check is an open-source Software Composition Analysis tool by OWASP.
Dependency Check scans the source code, binaries, and packaging format to identify vulnerable open-source libraries used in the software. 

Here is the list of languages, file types, and packaging formats that Dependency Check supports.

  • Zip archive format (*.zip, *.ear, *.war, *.jar, *.sar, *.apk, *.nupkg); Tape Archive Format (*.tar); Gzip format (*.gz, *.tgz); Bzip2 format (*.bz2, *.tbz2); RPM format (*.rpm)
  • .NET Assemblies (*.exe, *.dll)
  • Java archive files (*.jar); Web application archive (*.war)
  • JavaScript files
  • NPM package specification files (package.json)
  • Nuget packages.config file
  • Nuget package specification file (*.nuspec)
  • OpenSSL Version Source Header File (opensslv.h)
  • Ruby Gemfile.lock files
  • Autoconf project configuration files (configure,,
  • CMake project files (CMakeLists.txt) and scripts (*.cmake)
  • CocoaPods .podspec files
  • PHP Composer Lock files (composer.lock)
  • Perl cpanfile Lock files (composer.lock)
  • Go.mod
  • Gopkg.lock
  • PE DLL and EXE
  • Python source files (*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (*.whl, *.egg, *.zip)
  • Python Pip requirements.txt files
  • Ruby makefiles (Rakefile); Ruby Gemspec files (*.gemspec)
  • SWIFT Package Manager's Package.swift

Dependency check mainly uses National Vulnerability Database, SonaType OSS index, and NPM Public Advisories to identify vulnerabilities in Open-Source Libraries.

How Does Dependency Check Work?

Dependency check analyzes the source code, binaries, and packaging format to fetch the list of open-source libraries used in the software and create a list that includes the Entry Type, Library Name, Vendor, and version.

After fetching all these details dependency check creates the CPE (Common Platform Enumeration)  and PURL (Package URL) of each Open-Source library.

CPE - is a standard method used in the National Vulnerability Database to describe and identify classes of applications, operating systems, and hardware devices
CPE Syntax - cpe:/[Entry Type]:[Vendor]:[Product]:[Version]:[Revision]:…

PURL - is a URL string used to identify and locate a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs, and databases.
PURL Syntax - scheme:type/namespace/name@version?qualifiers#subpath

After creating the CPE and PURL dependency check, use the CPE of each open-source library to identify the vulnerability in the National Vulnerability Database and use the PURL to identify the vulnerability in the SonaType OSS Index.

How to Install and use Dependency check


Download the .zip file from the Dependency check GitHub repository
Command:  wget

Unzip the archive
Command: unzip

Go to dependency-check/bin/ directory
Command: cd dependency-check/bin/

Download local copy of National Vulnerability Database
Command: ./ --updateonly

Run Scan

Now we will see how to run Software Composition Analysis using Dependency check 
For the demo purpose I am using OWASP Juice Shop.

Syntax: ./ --project <Project Name> --scan <Path To Scan> --enableExperimental -o <The folder to write reports> -f <output format to write to (XML, HTML, CSV, JSON, JUNIT, SARIF, ALL)>

Command: ./ --project demo_scan --scan /home/sahil/tools/juice-shop --enableExperimental -o /home/sahil/tools/demo_scan.html -f HTML

Once the scan is complete, we can check the report in the Output Path.

Sahil Gupta

Application Security | DevSecOps | Secure SDLC | Penetration Tester (Web and API) | CEHv10 | IBM Certified Cybersecurity Analyst Professional

Previous Post Next Post

Contact Form