OWASP Dependency-Check 2026: Free NVD-Based SCA

Name: OWASP Dependency-Check
Availability: OnlineOnly

OWASP Dependency-Check is one of the oldest and most widely used open-source SCA tools. As an OWASP Flagship Project, it addresses the OWASP Top 10’s A06:2021 “Vulnerable and Outdated Components” category directly. With 7.4k GitHub stars, 290+ contributors, and 82+ releases, it has been a go-to free option for identifying known vulnerabilities in project dependencies.

OWASP Dependency-Check HTML report showing vulnerability overview with severity breakdown

The tool checks your dependencies against the National Vulnerability Database (NVD) using CPE (Common Platform Enumeration) matching. It runs as a CLI tool, Maven plugin, Gradle plugin, Ant task, or Jenkins plugin. The current version is 12.2.0.

What is OWASP Dependency-Check?

Dependency-Check scans project dependencies and matches them against NVD entries to find known CVEs. It supports Java (Maven, Gradle), .NET (NuGet), JavaScript (npm), Python (pip), Ruby (Bundler), and Go modules. It also pulls data from NPM Audit, Sonatype OSS Index, and RetireJS for additional coverage.

NVD Integration

Matches dependencies against the National Vulnerability Database using CPE identification. Supports offline mode and regular database updates. An NVD API key speeds up updates significantly.

Build Tool Plugins

Native plugins for Maven, Gradle, and Ant integrate directly into your build process. Fail builds when vulnerabilities exceed your CVSS threshold.

Multiple Report Formats

Generates reports in HTML, JSON, XML, CSV, SARIF, and JUnit format. SARIF output integrates with GitHub’s security dashboard.

Key features

Feature	Details
Current version	12.2.0
License	Apache 2.0 (OWASP Flagship Project)
Vulnerability source	NVD (CPE matching) + NPM Audit + OSS Index + RetireJS
Build plugins	Maven, Gradle, Ant (native); SBT, Leiningen (community)
CI/CD	Jenkins plugin, GitHub Actions, Azure DevOps extension
Report formats	HTML, JSON, XML, CSV, SARIF, JUnit
Installation	CLI (ZIP), Maven, Gradle, Homebrew, Docker
False positive handling	XML suppression files with CVE, CPE, and component filters
Offline scanning	Cached NVD database for air-gapped environments

Supported ecosystems

Ecosystem	Detection method
Java (Maven)	`pom.xml` analysis, JAR scanning
Java (Gradle)	`build.gradle` analysis
JavaScript (npm)	`package.json`, `package-lock.json`
Python (pip)	`requirements.txt`, `pyproject.toml`
Ruby (Bundler)	`Gemfile.lock`
.NET (NuGet)	`packages.config`, `.csproj`
Go	`go.mod`, `go.sum`
PHP (Composer)	`composer.lock`
Swift (CocoaPods)	`Podfile.lock`
Binaries	JAR, DLL fingerprinting via CPE

NVD integration

Dependency-Check identifies components using CPE matching and correlates them against the NVD. It also pulls data from NPM Audit, Sonatype OSS Index, and RetireJS for additional coverage. Database updates are cached locally for offline scanning.

OWASP Dependency-Check vulnerability findings showing CVE details and affected dependencies

NVD API Key Required

An NVD API key is strongly recommended. Without one, database updates are rate-limited to around 6 requests per 30 seconds. Get a free key at nvd.nist.gov/developers/request-an-api-key. With a key, updates complete in minutes instead of hours.

Build tool plugins

Native plugins for Maven, Gradle, and Ant let you add vulnerability checking directly to your build lifecycle. Set a failBuildOnCVSS threshold to break builds when critical vulnerabilities are found. Community-maintained plugins also exist for SBT and Leiningen.

Suppression files

False positives are managed through XML suppression files. You can suppress by CVE ID, CPE pattern, or component name, keeping reports clean while maintaining an audit trail of suppression decisions.

Report formats

Reports are available in HTML (default, good for manual review), JSON, XML, CSV, SARIF, and JUnit. The SARIF format integrates directly with GitHub’s code scanning alerts. JUnit format works with Jenkins test result dashboards.

OWASP Dependency-Check vulnerability trend showing findings over time

Integrations

Build Tools

Maven

Gradle

CI/CD

Jenkins

GitHub Actions

Azure DevOps

SonarQube

Getting started

Install the scanner — Download the CLI from GitHub releases, use brew install dependency-check on macOS, or add the Maven/Gradle plugin to your build file.

Get an NVD API key — Register at nvd.nist.gov for a free API key. Without one, database updates are slow and rate-limited.

Run your first scan — Execute dependency-check.sh --project MyProject --scan ./ or run the Maven goal dependency-check:check.

Configure thresholds — Set failBuildOnCVSS to your desired threshold (e.g., 7) and create a suppression file for known false positives.

When to use Dependency-Check

Dependency-Check is the right choice for teams that need free, proven SCA scanning with strong build tool integration, especially in Java environments.

The CPE matching approach can produce more false positives than ecosystem-specific scanners like Grype or Trivy. Plan to maintain a suppression file. The tool also lacks reachability analysis and automated fix PRs that commercial tools provide.

For teams that want free SCA with fewer false positives, Grype or Trivy are worth evaluating. For teams wanting automated remediation, Snyk or Dependabot offer fix pull requests.

Best for

Teams needing free vulnerability scanning with strong Java build tool integration. Pair with a suppression file workflow to manage false positives.

How it compares:

vs.	Key difference
Grype	Grype uses ecosystem-specific matching with fewer false positives and faster scans. Dependency-Check has deeper build tool integration (Maven, Gradle, Ant plugins).
Snyk Open Source	Snyk adds automated fix PRs, reachability analysis, and a curated vulnerability database. Dependency-Check is free with no account needed.
Dependency-Track	Dependency-Track is an SBOM-based continuous monitoring platform. Use Dependency-Check for point-in-time scanning, Dependency-Track for ongoing portfolio monitoring.

For more background, see What is SCA? and our guide on SCA in CI/CD pipelines.

Frequently Asked Questions

What is OWASP Dependency-Check?

OWASP Dependency-Check is a free, open-source SCA tool that identifies known vulnerabilities in project dependencies by checking them against the National Vulnerability Database (NVD). Current version is 12.2.0. It runs as a CLI tool, Maven/Gradle plugin, or Jenkins plugin.

Is OWASP Dependency-Check free?

Yes, completely free and open-source under the Apache 2.0 license. It is an OWASP Flagship Project with 7.4k GitHub stars and over 290 contributors.

Do I need an NVD API key?

An NVD API key is strongly recommended. Without one, database updates are rate-limited and slow. Get a free key at nvd.nist.gov/developers/request-an-api-key.

How does Dependency-Check compare to Grype or Trivy?

Dependency-Check uses CPE matching against the NVD, which can produce more false positives than Grype or Trivy’s ecosystem-specific matching. However, it has broader build tool integration (Maven, Gradle, Ant plugins) and a longer track record in enterprise environments.