Integrate OWASP Dependency-Check with Vulnetix. Scan project dependencies for known CVEs and export SARIF or CycloneDX reports for upload to Vulnetix.
CLI toolSARIFCycloneDXJSONXML
Install & scan
$ # Download and extract the CLI distribution
VERSION=$(curl -s https://api.github.com/repos/jeremylong/DependencyCheck/releases/latest | grep '"tag_name"' | sed -E 's/.*"v([^"]+)".*/\1/')
curl -L "https://github.com/jeremylong/DependencyCheck/releases/download/v${VERSION}/dependency-check-${VERSION}-release.zip" -o dc.zip
unzip dc.zip && rm dc.zip
$ dependency-check/bin/dependency-check.sh --scan . --format SARIF --out dependency-check.sarif --enableRetired
Run OWASP Dependency-Check in CI
Scan on every push and upload the results to Vulnetix:
- name: Setup Java
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
- name: Download Dependency-Check
run: |
VERSION=$(curl -s https://api.github.com/repos/jeremylong/DependencyCheck/releases/latest | grep '"tag_name"' | sed -E 's/.*"v([^"]+)".*/\1/')
curl -L "https://github.com/jeremylong/DependencyCheck/releases/download/v${VERSION}/dependency-check-${VERSION}-release.zip" -o dc.zip
unzip dc.zip
- name: Run Dependency-Check
run: |
dependency-check/bin/dependency-check.sh --scan . --format SARIF --out dc.sarif
env:
NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
- name: Upload to Vulnetix
run: vulnetix upload --file dc.sarif
Centralise OWASP Dependency-Check results in Vulnetix
Upload OWASP Dependency-Check SARIF, CycloneDX, JSON, XML output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.
OWASP Dependency-Check documentation ↗ · Source repository ↗