Find plugins

OWASP Dependency-Check Jenkins requirement: 1.625.3ID: dependency-check-jenkins-plugin

Plugin Information

View OWASP Dependency-Check on the plugin site for more information.

Older versions of this plugin may not be safe to use. Please review the following warnings before using an older version:

This plugin can analyze dependencies and generate trend reports for Dependency-Check, an open source utility that detects known vulnerabilities in project dependencies.

Installation Requirements

This plug-in requires the utility plug-in "analysis-core" (called "Static Analysis Utilities" in the update manager). Please ensure that the latest version of this plug-in is also installed.


Dependency-Check is an open source utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. This tool can be part of the solution to the OWASP Top 10 2013: A9 - Using Components with Known Vulnerabilities. The purpose of Dependency-Check is to help notify developers and security professionals of the problem discussed by Jeff Williams and Arshan Dabirsiaghi in their talk at AppSec DC 2012 titled “The Unfortunate Reality of Insecure Libraries“.

Dependency-Check is able to identify Java, Ruby, PHP, JavaScript, Python components along with .NET assemblies and others. Once identified, Dependency-Check will automatically determine if those component have known, publicly disclosed, vulnerabilities.

The Dependency-Check Jenkins Plugin features the ability to perform a dependency analysis build and later view results post build. The plugin is built using analysis-core and features many of the same features that Jenkins static analysis plugins offer, including thresholds, charts and the ability to view vulnerability information should a dependency have one identified.

Supported Analyzers




An analyzer that extracts files from archives such as TGZ, TBZ2, and ZIP (including EAR, WAR, and APK) and ensures any supported files contained within the archive are added to the dependency list.


Analyzes Windows .NET assemblies (EXE and DLL). On non-Windows platforms, enabling this analyzer requires Mono.


Analyzes Autoconf input files named configure.ac or configure.in. Files simply named "configure" are also analyzed, assuming they are generated by Autoconf and contain certain special package descriptor variables.


Analyze CMake build files.


Analyze SWIFT and Objective-C packages by collecting information from CocoaPods .podspec files.


Analyzes Java Archive files.

Maven Central

Analyzer which will attempt to locate a dependency, and the GAV information, by querying Maven Central for the dependency's SHA-1 digest.


Analyzer which will attempt to locate a dependency on a Nexus Pro service by SHA-1 digest of the dependency.


Analyzes Node Package Manager (npm) package.json files.

NSP Analyzes Node Package Manager (npm) package.json files using Node Security Platform.

NuSpec NuGet

Analyzes NuSpec files.


Analyzes OpenSSL source code present on the file system, specifically opensslv.h.

PHP Composer

Used to analyze a composer.lock file for a composer PHP app.

Python Distribution

Used to analyze a Wheel or egg distribution files, or their contents in unzipped form.

Python Package

Analyzes Python packages.


Analyzes RubyGems.


This analyzer is used to analyze the SWIFT Package Manager. It collects information about a package from Package.swift files.


Dependency-Check is the core engine that includes the evidence-based identification, analysis, and reporting of library information and associated vulnerabilities. Dependency-Check includes a command line interface (CLI), an Ant task, and Maven plugin. All three generate the same HTML and XML reports. The Dependency-Check Jenkins Plugin relies on the XML report generated from the CLI, Ant task or Maven plugin. It's recommended to include a Dependency-Check scan as part of a build process, similar to how a Findbugs or PMD analysis is typically performed.

The Dependency-Check Jenkins Plugin also includes everything necessary to execute an analysis outside of a build script by incorporating the Dependency-Check core engine and associated Jenkins build-step.

Use in Software Engineering

Dependency-Check builds can be run in a continuous integration or nightly basis to determine if there are new vulnerabilities discovered based on the addition of a new dependency, or the discovery of a new vulnerability in an existing dependency. This is highly desirable information for projects in active development and for those being sustained.

Use for Proactive Monitoring

Dependency-Check builds in Jenkins can be used outside of a software engineering context by automatically scanning and analyzing third-party applications where source code is not available. In this scenario, Jenkins behaves like a glorified cron job with built-in reporting capabilities. An enterprise for example, could scan and analyze all third-party applications (commercial or otherwise) for libraries containing publicly known vulnerabilities and proactively address issues when they arise.


Trending Chart

Categories (by CWE)

Types (by CVE)

Analysis Details

Version History

Version (May 2, 2018)

  • Fixed issue that resulted in the Dependency-Track publisher failing on slave nodes
  • Enhanced online help when configuring jobs which describes permissions required in Dependency-Track
  • Relaxed URL format for Dependency-Track. Will ignore trailing slash if present.

Version 3.1.2 (April 2, 2018)

  • Updated core to Dependency-Check v3.1.2
  • Added links to CWEs in report console
  • Added additional links to CVEs in fixed and warnings tabs
  • Added option to disable Node Package Manager analyzer

Version 3.1.1 (January 28, 2018)

  • Updated core to Dependency-Check v3.1.1
  • Updated Jenkins parent to use modern pom (thanks CloudBees)
  • Updated Java version requirement to Java 8
  • Added software bill-of-material (CycloneDX and SPDX) support to Dependency-Track publisher

Version 3.1.0 (January 4, 2018)

  • Disabled Ruby Bundler Analyzer by default
  • Fixed issue that prevented publishing to Dependency-Track when project did not have a version
  • Updated core to Dependency-Check v3.1.0
  • Updated analysis-core to v1.88
  • Minor spelling and labeling changes

Version 3.0.2 (November 14, 2017)

  • Updated core to Dependency-Check v3.0.2

Version 3.0.1 (October 19, 2017)

  • Updated core to Dependency-Check v3.0.1

Version 3.0.0 (October 15, 2017)

  • Fixed serialization issue that prevented Dependency-Track Publisher from running on slave nodes
  • Removed legacy Node.js analyzer
  • Updated core to Dependency-Check v3.0.0

Version 2.1.1 (August 25, 2017)

  • Added Groovy syntax support when defining pipeline jobs
  • Fixed defect that prevented pipeline execution from properly executing on slave nodes
  • Updated core to Dependency-Check v2.1.1

Version 2.1.0 (July 23, 2017)

  • Updated core to Dependency-Check v2.1.0

Version (July 20, 2017)

  • Fixed XSS vulnerability - SECURITY-577

Version (July 10, 2017)

  • Fixed defect that caused NPE when the publisher step parsed Dependency-Check XML reports containing suppressions

Version 2.0.1 (July 6, 2017)

  • Updated core to Dependency-Check v2.0.1

Version 2.0.0 (July 3, 2017)

  • Updated core to Dependency-Check v2.0.0
  • Updated analysis-core to v1.86
  • Added support for Node Security Platform
  • Added Jenkins Pipeline support to all builders
  • Added finer controler over optional HTML, JSON, and CSV reports to generate
  • Added ability to publish Dependency-Check results to Dependency-Track v3
  • Enhancements to user interface
  • Fixed bug that prevented updateOnly builder from using external database
  • Fixed bug that failed to mask password when using external database

Version 1.4.5 (January 23, 2017)

  • Updated core to Dependency-Check v1.4.5
  • Updated analysis-core to v1.80
  • Minor modifications to Python configuration
  • Added support for Ruby Bundler analyzer
  • Added support for hints file
  • Fixed null pointer exception

Version 1.4.4 (November 5, 2016)

  • Updated core to Dependency-Check v1.4.4
  • Added global data directory option (with local override)
  • Fixed null pointer exception

Version 1.4.3 (September 6, 2016)

  • Updated core to Dependency-Check v1.4.3
  • Added CocoaPods analyzer support
  • Added Swift Package Manager analyzer support

Version 1.4.2 (July 31, 2016)

  • Updated core to Dependency-Check v1.4.2

Version 1.4.1 (July 31, 2016)

  • Updated core to Dependency-Check v1.4.1
  • Updated analysis-core to v1.79
  • Java 7 or higher is now a requirement - Version checking implemented
  • Corrected description in verbose logging help
  • Added XSS prevention missing on three files

Version 1.4.0 (June 16, 2016)

  • Separated out standard and experimental analyzers in global config
  • Added optional external database configuration options to global config
  • Updated core to Dependency-Check v1.4.0
  • Updated analysis-core to v1.78

Version 1.3.6 (April 10, 2016)

  • Updated core to Dependency-Check v1.3.6

Version 1.3.5 (March 5, 2016)

  • Updated core to Dependency-Check v1.3.5
  • Updated analysis-core to v1.76

Version 1.3.4 (February 1, 2016)

  • Updated core to Dependency-Check v1.3.4
  • Updated analysis-core to v1.75

Version 1.3.3 (December 11, 2015)

  • Updated core to Dependency-Check v1.3.3

Version 1.3.2 (November 29, 2015)

  • Updated core to Dependency-Check v1.3.2

Version (November 13, 2015)

  • Fixed relative (to workspace) path resolution for suppression files

Version (November 10, 2015)

  • Fixed regression that prevented suppression files from being honored

Version 1.3.1 (September 21, 2015)

  • Added RubyGem analyzer support
  • Added PHP Composer lock analyzer support
  • Added Node.js analyzer support
  • Added support for Jenkins Workflow plugin (thanks CloudBees)
  • Removed Javascript analyzer support
  • Updated dashboard-view plugin to 2.9.6
  • Updated analysis-core to v1.74
  • Updated core to Dependency-Check v1.3.1

Version 1.3.0 (August 5, 2015)

  • Added Autoconf analyzer support
  • Added CMake analyzer support
  • Added OpenSSL analyzer support
  • Added QuickQuery Timestamp option to global config
  • Added support for token-macro plugin
  • Added support for dashboard-view plugin
  • CVSS attributes now popup when hovering over CVSS score in details view
  • Updated analysis-core to v1.72
  • Updated core to Dependency-Check v1.3.0
  • Bug fixes

Version (June 10, 2015)

  • Fixed defect introduced in 1.2.11 that prevented execution on slave nodes

Version 1.2.11 (May 12, 2015)

  • Added Python analyzer support
  • Added new builder (build step) that can perform an NVD update only
  • Updated analysis-core to v1.71
  • Updated core to Dependency-Check v1.2.11
  • Minor refactoring to minimize DRY

Version 1.2.10 (April 12, 2015)

  • Updated core to Dependency-Check v1.2.10

Version 1.2.9 (March 6, 2015)

  • Updated core to Dependency-Check v1.2.9
  • Added warning if the Maven Central or Nexus analyzer are disabled
  • Added option to bypass Jenkins proxy configuration when downloading NVD feed
  • Updated analysis-core to v1.69
  • Changed label names on tabs

Version 1.2.8 (December 28, 2014)

  • Updated core to Dependency-Check v1.2.8
  • Minor code cleanup

Version (December 28, 2014)

  • Reverted previous serialization changes

Version 1.2.7 (December 8, 2014)

  • Updated core to Dependency-Check v1.2.7
  • Optimized serialization required for slave execution

Version 1.2.6 (November 16, 2014)

  • Updated core to Dependency-Check v1.2.6
  • Updated analysis-core to v1.65
  • Added support for Maven Central analyzer

Version 1.2.5 (September 16, 2014)

  • Updated core to Dependency-Check v1.2.5
  • Support for Ant-style patterns added to scan path configuration

Version 1.2.4 (August 5, 2014)

  • Updated core to Dependency-Check v1.2.4

Version (July 7, 2014)

  • Refactored experimental Maven artifact analysis
  • Fixed display issued on details tab that may display incorrect path

Version (July 1, 2014)

  • Fixed UI defect that prevented plugin from being configured in some circumstances

Version 1.2.3 (June 27, 2014)

  • Updated core to Dependency-Check v1.2.3

Version 1.2.2 (June 23, 2014)

  • Updated core to Dependency-Check v1.2.2
  • Updated analysis-core to v1.57
  • Added experimental support for Maven artifact analysis in Maven jobs
  • Added global configuration for analyzers and temporary directory

Version 1.2.1 (May 10, 2014)

  • Updated core to Dependency-Check v1.2.1

Version 1.2.0 (April 28, 2014)

  • Updated core to Dependency-Check v1.2.0
  • Fixed defect that could result in a circular dependency

Version (April 15, 2014)

  • 1.1.4 did not release properly due to bug in Maven Release Plugin. This is a re-release of 1.1.4 using M-R-P v2.5

Version 1.1.4 (March 30, 2014)

  • Updated core to Dependency-Check v1.1.4
  • Updated analysis-core to v1.56
  • Added URL support for suppression files
  • Fixed bug that prevented workspace from being cleaned up due to H2 lock files in use
  • Fixed defect in details view that prevented certain details from displaying if a CWE was not associated with a vulnerability
  • Default filename for XML reports has changed

Version 1.1.3 (March 11, 2014)

  • Updated core to Dependency-Check v1.1.3

Version 1.1.2 (March 3, 2014)

  • Updated core to Dependency-Check v1.1.2
  • Updated analysis-core to v1.55
  • Added per-build configurable support for additional zip extensions
  • Added global Nexus analyzer proxy bypass setting
  • Added global Mono path configuration

Version (February 9, 2014)

  • Added per job configurable option to skip Dependency-Check analysis if job is triggered by an upstream change

Version (February 8, 2014)

  • Added per job configurable option to skip Dependency-Check analysis if job is triggered by SCM change

Version 1.1.1 (January 30, 2014)

  • Updated core to Dependency-Check v1.1.1

Version 1.1.0 (January 26, 2014)

  • Updated core to Dependency-Check v1.1.0
  • Changed license from GPLv3 to Apache 2.0

Version 1.0.8 (January 18, 2014)

  • Updated core to Dependency-Check v1.0.8
  • Added global configuration options for Nexus analyzer
  • Removed restriction that confined data directory to workspace
  • Support for shared data directory (per node)

Version 1.0.7 (December 3, 2013)

  • Updated core to Dependency-Check v1.0.7
  • Added support for suppression file in build step

Version 1.0.6 (not published)

Version 1.0.5 (November 16, 2013)

  • Updated core to Dependency-Check v1.0.5
  • Updated analysis-core to v1.54
  • Added support for proxy authentication
  • Fixed bug that allowed a build to pass if invalid scan path was specified

Version (October 31, 2013)

  • Added ability to use mirrored NIST CPE/CVE data. Refer to nist-data-mirror for a simple tool to mirror NIST data
  • Added partial proxy server support. The core currently supports hostname and port parameters

Version 1.0.4 (October 22, 2013)

  • Updated core to Dependency-Check v1.0.4
  • Added configurable option to enable verbose logging when using the build step

Version 1.0.3 (October 14, 2013)

  • Updated core to Dependency-Check v1.0.3
  • Added configurable option to generate standalone HTML reports in output directory

Version 1.0.2 (September 4, 2013)

  • Updated core to Dependency-Check v1.0.2

Version (August 30, 2013)

  • Removed unnecessary dependency that may cause classpath issues

Version 1.0.1 (August 2, 2013)

  • Initial public release


Development of Dependency-Check Jenkins Plugin prior to v3.0.3 was sponsored in part by Axway.

ArchivesGet past versions
Previous Security Warnings