{"id":26511072,"url":"https://github.com/nmoncho/sbt-dependency-check","last_synced_at":"2025-07-11T20:32:09.897Z","repository":{"id":282852017,"uuid":"949840283","full_name":"nMoncho/sbt-dependency-check","owner":"nMoncho","description":"SBT Plugin for OWASP DependencyCheck. Monitor your dependencies and report if there are any publicly known vulnerabilities (e.g. CVEs).","archived":false,"fork":false,"pushed_at":"2025-07-09T08:07:13.000Z","size":222,"stargazers_count":10,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-09T23:39:32.703Z","etag":null,"topics":["appsec","cve","devops","infosec","nvd","owasp","owasp-dependencycheck","sbt","sbt-plugin","scala","security","security-audit","security-automation","software-composition-analysis","software-security","static-analysis","vulnerabilities","vulnerability-scanners"],"latest_commit_sha":null,"homepage":"","language":"Scala","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nMoncho.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-03-17T08:18:55.000Z","updated_at":"2025-07-09T08:07:18.000Z","dependencies_parsed_at":"2025-06-23T14:35:26.622Z","dependency_job_id":"b35ffc2b-ca1b-4ab2-86db-569405a344d2","html_url":"https://github.com/nMoncho/sbt-dependency-check","commit_stats":null,"previous_names":["nmoncho/sbt-dependency-check"],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/nMoncho/sbt-dependency-check","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nMoncho%2Fsbt-dependency-check","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nMoncho%2Fsbt-dependency-check/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nMoncho%2Fsbt-dependency-check/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nMoncho%2Fsbt-dependency-check/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nMoncho","download_url":"https://codeload.github.com/nMoncho/sbt-dependency-check/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nMoncho%2Fsbt-dependency-check/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264892312,"owners_count":23679269,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["appsec","cve","devops","infosec","nvd","owasp","owasp-dependencycheck","sbt","sbt-plugin","scala","security","security-audit","security-automation","software-composition-analysis","software-security","static-analysis","vulnerabilities","vulnerability-scanners"],"created_at":"2025-03-21T02:19:32.162Z","updated_at":"2025-07-11T20:32:09.868Z","avatar_url":"https://github.com/nMoncho.png","language":"Scala","readme":"# sbt-dependency-check [![Build Status](https://github.com/nMoncho/sbt-dependency-check/actions/workflows/main.yaml/badge.svg)](https://github.com/nMoncho/sbt-dependency-check/actions/workflows/main.yaml) [![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)](https://mit-license.org/)\n\nThe sbt-dependency-check plugin allows projects to monitor dependent libraries for known, published vulnerabilities\n(e.g. CVEs). The plugin achieves this by using the\nawesome [OWASP DependencyCheck library](https://github.com/dependency-check/DependencyCheck)\nwhich already offers several integrations with other build and continuous integration systems.\n\nFor more information on how OWASP DependencyCheck works and how to read the reports check\nthe [project's documentation](https://jeremylong.github.io/DependencyCheck/index.html).\n\nThis plugin is inspired by the great work of Alexander v. Buchholtz et\nal. [sbt-dependency-check](https://github.com/albuch/sbt-dependency-check).\nThis plugin seeks to build on top of the previous plugin, keeping some settings and tasks the same, while offering some\nfunctionalities on top. The work on this plugin started when we noticed NVD deprecating data-feed, which the previous\nplugin still relied on. If you're looking to migrate from Buchholtz's plugin, please read\nthe [Migration Guide](MIGRATION.md)\n\n## Installation\n\nAdd the plugin to your project configuration:\n\n```scala\naddSbtPlugin(\"net.nmoncho\" % \"sbt-dependency-check\" % \"1.7.2\")\n```\n\nThe minimum SBT version supported is `1.9.0`.\n\n## Usage\n\n### Getting Started\n\nDon't feel deterred by all the configuration settings defined in this plugin. All of them have sensible defaults.\n\nThe best way to get started is to install the plugin, set your [NVD API Key](#nvd-api):\n\n```sbt\ndependencyCheckNvdApi := NvdApiSettings(\"YOUR_NVD_API_KEY\")\n```\n\nAnd then just run:\n\n```bash\nsbt -Dlog4j2.level=info dependencyCheck\n```\n\nThe first time you run these tasks it will take some time, even a couple of minutes. The analysis will write a report\nto `target/{scala-version}/dependency-check-report.html`.\n\nAfter this, feel free to take a look at the available tasks and settings.\n\n### Tasks\n\nThe following tasks are available:\n\n| Task | Description |\n|:----------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `dependencyCheck` | Runs dependency-check against the project and generates a report per sub project. |\n| `dependencyCheckAggregate` | Runs dependency-check against project aggregates and combines the results into a single report. |\n| `dependencyCheckAllProjects` | Runs dependency-check against all projects and combines the results into a single report. |\n| `dependencyCheckUpdate` | Updates the local cache of the NVD data from NIST. |\n| `dependencyCheckPurge` | Deletes the local copy of the NVD. This is used to force a refresh of the data. |\n| `dependencyCheckListSettings` | List the settings used during the analysis. |\n| `dependencyCheckListUnusedSuppressions` | List unused suppressions, only considering suppression files or rules defined in the project definition (ie. build.sbt), not hosted suppressions nor packed suppressions. |\n| `dependencyCheckListSuppressions` | List suppression rules added to the Owasp Engine which are defined in the project definition (ie. build.sbt), or are imported packaged suppressions. |\n\nThe reports will be written to `crossTarget.value` by default. This can be overwritten by setting `dependencyCheckOutputDirectory`.\nSee [Configuration](#configuration) for details.\n\n#### `dependencyCheck` Arguments\n\nBy default `dependencyCheck` will run under the selected project, or `root` if none is selected. And it will also run\non projects aggregated by that project, like any other task on SBT, generating one report per project.\n\nThe task `dependencyCheck` supports arguments that can be used to change its behavior:\n\n- `list-settings`: The settings used for the analysis will be printed before running the analysis. This works the same\n way as the task `dependencyCheckListSettings`.\n- `list-unused-suppressions`: Any unused suppression rule will be printed after the analysis. This works the same way as\n the task `dependencyCheckListUnusedSuppressions`.\n- `single-report`: A single report will be generated for this project, and all aggregates if any. This works the same\n way as the task `dependencyCheckAggregate`.\n- `all-projects`: A single report will be generated for all projects. This works the same way as the task `dependencyCheckAllProjects`.\n **Important**: This arguments needs to be used together with `single-report`.\n\n### Configuration\n\nThe plugin uses the default [DependencyCheck](https://github.com/dependency-check/DependencyCheck) configuration which\ncan be overridden by either a SBT Setting Key, or a System Property. Properties are resolved by the library in this\norder:\n(1) `dependencycheck.properties` values , (2) SBT Setting Keys, (3) System Property. Last non-empty value wins.\n\nThe default `properties` file can be overridden with the Setting Key `dependencyCheckSettingsFile`. Most, if not all,\nsettings are picked up from the default DependencyCheck is defining. You can run the task `dependencyCheckListSettings`\nto know what's the final value of each setting, and an example of this properties file's content.\n\nSBT Setting Keys are usually wrapped with an `Option`. This is meant to allow keeping the default value, at the cost of\nsome configuration convenience.\n\n| Setting | Description | Default |\n|:---------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------|\n| `dependencyCheckFailBuildOnCVSS` | Specifies if the build should be failed if a CVSS score above a specified level is identified | 11.0 (never fails a build) |\n| `dependencyCheckJUnitFailBuildOnCVSS` | If using the jUnit, specifies the CVSS score that is considered a `test` failure when generating a jUnit style report | 0.0 |\n| `dependencyCheckSkip` | Skips this project on the dependency-check analysis | `false` |\n| `dependencyCheckScopes` | What library dependency scopes are considered during the analysis | Compile = true, Test = false, Runtime = true, Provided = true, Optional = true |\n| `dependencyCheckScanSet` | An optional sequence of files that specify additional files and/or directories to analyze as part of the scan | Standard Scala conventions |\n| `dependencyCheckFormats` | The report formats to be generated | `HTML` |\n| `dependencyCheckAnalysisTimeout` | Set the analysis timeout. | 180 minutes (by DependencyCheck) |\n| `dependencyCheckOutputDirectory` | The location to write the report(s). | `cross.target` |\n| `dependencyCheckAutoUpdate` | Sets whether auto-updating of the NVD CVE/CPE, retireJS and hosted suppressions data is enabled. | `true` |\n| `dependencyCheckDataDirectory` | Base path to use for the data directory (for embedded db and other cached resources from the Internet) | `[JAR]/data/11.0` |\n| `dependencyCheckSettingsFile` | Where to look for the 'dependencycheck.properties' file | Resource `dependencycheck.properties` |\n| `dependencyCheckAnalyzers` | Settings for the different analyzers used during the analysis | See [Analyzer Settings](#analyzer-settings) |\n| `dependencyCheckSuppressions` | Combines a sequence of file paths, or URLs to the XML suppression files, with any hosted suppressions the analysis should be using. Suppressions are used to ignore false positives. | empty |\n| `dependencyCheckDatabase` | Settings for the database used to hold the CVEs during the analysis. | See [Database Settings](#database-settings) |\n| `dependencyCheckNvdApi` | Settings to contact the NVD API, such as API Key, Request Delay, Max Retries, etc. | See [NVD API](#nvd-api) |\n| `dependencyCheckProxy` | Settings to use a Proxy. Honors System Properties like `https.proxyHost`, `https.proxyPort`, etc. | See [Running behind a proxy](#running-behind-a-proxy) |\n| `dependencyCheckConnectionTimeout` | Sets the URL Connection Timeout (in milliseconds) used when downloading external data. | `10 seconds` |\n| `dependencyCheckConnectionReadTimeout` | Sets the URL Connection Read Timeout (in milliseconds) used when downloading external data. | `60 seconds` |\n\n#### Sensitive Configuration\n\n`DependencyCheck` may use sensitive information like usernames, passwords, and Bearer Tokens. Although these could be\nadded as SBT Setting Keys this is discouraged in order to avoid committing sensitive information to your VCS. Here are\nsome options to that:\n\n- Install this plugin globally under `~/.sbt/\u003cversion\u003e/plugins.sbt`, then define these values on that file.\n- Set the setting `dependencyCheckSettingsFile` using an external `dependencycheck.properties`.\n- Use System Properties when running an SBT Task: `sbt -Danalyzer.central.password=12348765 dependencyCheck`\n\n#### NVD API\n\nDependency-check has moved from using the NVD data-feed to the NVD API. It is **highly** encouraged to obtain an NVD API\nKey;\nsee [Requesting an API Key](https://nvd.nist.gov/developers/request-an-api-key). Without an NVD API Key, updating will\nbe **extremely slow**.\n\nThe NVD API has enforced rate limits. If you are using a single API KEY and multiple builds occur you could hit the rate\nlimit and receive 403 errors. In a CI environment one must use a caching strategy, like caching the Database\n(see [Database Settings](#database-settings)), or sharing the `Data Directory` between builds.\n\n| Setting | Description | Default |\n|:-----------------|:----------------------------------------------------------------------|:----------------|\n| `apiKey` | API Key for the NVD API | \"\" |\n| `endpoint` | NVD API Endpoint | `null` |\n| `requestDelay` | delay between requests for the NVD API | `0` |\n| `maxRetryCount` | the maximum number of retry requests for a single call to the NVD API | `30` |\n| `validForHours` | control the skipping of the check for NVD updates | `4` |\n| `resultsPerPage` | control the results per page lower than NVD's default of 2000. | `null` (`2000`) |\n\n**Data Feed Settings**\n\n| Setting | Description | Default |\n|:---------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------|\n| `url` | URL for the NVD API Data Feed | `null` |\n| `startYear` | starting year for the NVD CVE Data feed cache. | `null` (`2002`) |\n| `validForDays` | indicates how often the NVD API data feed needs to be updated before a full refresh is evaluated | `7` |\n| `username` | username to use when connecting to the NVD Data feed. For use when NVD API Data is hosted as datafeeds locally on a site requiring HTTP-Basic-authentication. | `null` |\n| `password` | password to authenticate to the NVD Data feed. For use when NVD API Data is hosted as datafeeds locally on a site requiring HTTP-Basic-authentication. | `null` |\n| `bearerToken` | token to authenticate to the NVD Data feed. For use when NVD API Data is hosted as datafeeds locally on a site requiring HTTP-Bearer-authentication. | `null` |\n\n#### Database Settings\n\n| Setting | Description | Default |\n|:---------------------|:------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------|\n| `driverName` | the database driver class name. An embedded database is used by default | `org.h2.Driver` |\n| `driverPath` | the database driver class path | `null` |\n| `connectionString` | the database connection string | `jdbc:h2:file:%s;AUTOCOMMIT=ON;CACHE_SIZE=65536;RETENTION_TIME=1000;MAX_COMPACT_TIME=10000;` |\n| `username` | username to use when connecting to the database | `dcuser` |\n| `password` | password to use when connecting to the database | \u003cmasked\u003e |\n| `batchInsertEnabled` | adds capabilities to batch insert. Tested on PostgreSQL and H2 | `true` |\n| `batchInsertSize` | Size of database batch inserts | `1000` |\n\n#### Suppression Settings\n\nSuppressions can be specified either as suppression files, as hosted suppressions, or as a SBT Setting Key.\nA suppression file can be either an actual file or a URL. Hosted suppression are specified with a URL. The different\nbetween the two is that suppression files are meant to be project specific, whereas hosted suppression are meant,\nor can be, more general. Hosted Suppressions are considered \"base\" suppressions, whereas suppression files are not.\n\nSuppressions defined with the `suppressions` field on the `dependencyCheckSuppressions` key are created using the\n`net.nmoncho.sbt.dependencycheck.settings.SuppressionRule` class, providing an alternative to defining suppressions with\nXML files.\n\nWhether this suppression is taken into account or not is governed by the Analyzer\nSetting `vulnerabilitySuppressionEnabled`.\nAnother useful setting is `failOnUnusedSuppressionRule` which will fail the build if there is any non-base suppression\nnot\napplied.\n\n**Suppression Files**\n\n| Setting | Description | Default |\n|:--------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|\n| `files` | files or urls to consider | \u003cempty\u003e |\n| `user` | the username used when connecting to the suppressionFiles. For use when your suppressionFiles are hosted on a site requiring HTTP-Basic-authentication. | `null` |\n| `password` | the password used when connecting to the suppressionFiles. For use when your suppressionFiles are hosted on a site requiring HTTP-Basic-authentication. | `null` |\n| `bearerToken` | the token used when connecting to the suppressionFiles. For use when your suppressionFiles are hosted on a site requiring HTTP-Bearer-authentication. | `null` |\n\n**Hosted Suppressions**\n\n| Setting | Description | Default |\n|:----------------|:-------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------------------------------------------------------------------|\n| `enabled` | whether the hosted suppressions file datasource is enabled | `true` |\n| `url` | hosted suppressions file URL | `https://jeremylong.github.io/DependencyCheck/suppressions/publishedSuppressions.xml` |\n| `forceUpdate` | whether the hosted suppressions file will be updated regardless of the autoupdate settings. | `null` (`false`) |\n| `validForHours` | controls the skipping of the check for hosted suppressions file updates. | `2` |\n| `username` | the hosted suppressions username. For use when hosted suppressions are mirrored locally on a site requiring HTTP-Basic-authentication | `null` |\n| `password` | the hosted suppressions password. For use when hosted suppressions are mirrored locally on a site requiring HTTP-Basic-authentication | `null` |\n| `bearerToken` | the hosted suppressions bearer token. For use when hosted suppressions are mirrored locally on a site requiring HTTP-Bearer-authentication | `null` |\n\n##### Packaged Suppressions\n\nIn order to avoid duplicating suppression rules between related projects, we can export suppressions rules defined in a\nproject, and then reuse those suppressions on downstream projects. For example, say you have a \"commons\" project that\nincludes a library with a CVE. And then another project including that \"commons\" project. If we run CI on both projects\nwith a dependency check, we'd have to define the same suppression rule in both projects, as \"commons\" would have this\ndependency in its classpath, and the other project would also have it as a transitive dependency. If we could define the\nsuppression only in \"commons\", and then reuse it on downstream projects, we would save us a lot of copy/paste and\nheadaches.\n\nWe can use and export package suppressions by enabling with the `packagedEnabled` field in\nthe `dependencyCheckSuppressions` key.\nBy default, packaged suppressions rules are disabled.\n\n**Using Packaged Suppressions**\nTo use exported packaged suppressions rules by other projects we need to whitelist what dependencies we'll accept\nsuppressions rules from. By default, all dependencies are blacklisted.\n\nFor example, imagine we only want to accept packaged suppressions from libraries published by Typesafe or Lightbend, we\nwould configure our builds like:\n\n```scala\ndependencyCheckSuppressions := SuppressionSettings(\n packagedEnabled = true,\n packagedFilter = PackageFilter.ofGav {\n case (\"com.typesafe\" | \"com.lightbend\", _, _) =\u003e true\n case _ =\u003e false\n }\n)\n```\n\nThere are other ways to define `PackageFilter`s that can filter each dependency available in the classpath.\n\n**Exporting Packaged Suppressions**\nWe can export the suppression rules we define in a project by just enabling the packaged suppression rules. An XML\nsuppression\nrules file will be created and treated as a managed resource (i.e. will be included in the packaged JAR).\n\nOnly the suppression rules defined in the `files` (non-URLs, just files) and the `suppressions` fields on the\n`dependencyCheckSuppressions` key will be included in the packaged suppressions rules. The rationale is that `URLs`\ndefined\nin the `files` field, or the hosted suppressions can be easily shared already.\n\nEvery packaged suppression rule will be marked as \"base\", meaning it won't show in the dependency check report, nor on\nthe\nunused suppressions rules list. This is to avoid duplicating information on multiple projects.\n\n#### Analyzer Settings\n\nAnalyzer settings are grouped together where they make sense. This is an attempt to make the Setting Keys offered by the\nplugin a bit more readable and comprehensible.\n\nTo learn more see the\navailable [File Type Analyzers](https://jeremylong.github.io/DependencyCheck/analyzers/index.html).\nSome analyzers may be enabled but marked as experimental, which may not run if `experimentalEnabled` is disabled.\nIf you don't care about a particular Analyzer, feel free to ignore it, leaving the default values as they are.\n\nSettings are grouped by either analyzer, tool, or language:\n\n| Setting | Description | Default |\n|:----------------------------------|:--------------------------------------------------------------------------------------------------------|:--------|\n| `additionalZipExtensions` | additional file extensions to be treated like a ZIP files, the contents will be extracted and analyzed. | `None` |\n| `archiveEnabled` | whether or not the Archive analyzer is enabled. | `true` |\n| `artifactory` | Artifactory Settings. | |\n| `autoconfEnabled` | whether or not the autoconf analyzer should be used. | `true` |\n| `cmakeEnabled` | whether or not the CMake analyzer is enabled. | `true` |\n| `cpanFileEnabled` | whether or not the Perl CPAN File analyzer is enabled. | `true` |\n| `cpeEnabled` | whether or not the CPE analyzer is enabled. | `true` |\n| `cpeSuppressionEnabled` | whether or not the CPE Suppression analyzer is enabled. | `true` |\n| `dartEnabled` | whether or not the Dart analyzer is enabled. | `true` |\n| `dependencyBundlingEnabled` | whether or not the Dependency Bundling analyzer is enabled. | `true` |\n| `dependencyMergingEnabled` | whether or not the Dependency Merging analyzer is enabled. | `true` |\n| `dotNet` | .NET Settings. | |\n| `elixir` | Elixir Settings | |\n| `experimentalEnabled` | whether or not experimental analyzers are enabled. | `false` |\n| `failOnUnusedSuppressionRule` | whether the Unused Suppression Rule analyzer should fail if there are unused rules. | `false` |\n| `falsePositiveEnabled` | whether or not the False Positive analyzer is enabled. | `true` |\n| `filenameEnabled` | whether or not the Filename analyzer is enabled. | `true` |\n| `fileVersionEnabled` | whether or not the File Version analyzer is enabled (reads the PE headers of DLL and EXE files). | `true` |\n| `golang` | Golang Settings. | |\n| `hints` | Hints Settings. | |\n| `jarEnabled` | whether or not the JAR analyzer is enabled. | `true` |\n| `knownExploitedVulnerabilities` | Known Exploited Vulnerabilities settings. | |\n| `mavenCentral` | Maven Central Settings | |\n| `mavenInstallEnabled` | whether or not the Maven Install analyzer is enabled. | `true` |\n| `nexus` | Nexus Settings. | |\n| `node` | Node Settings | |\n| `nvdCveEnabled` | whether or not the NVD CVE analyzer is enabled. | `true` |\n| `openSslEnabled` | whether or not the OpenSSL analyzer is enabled. | `true` |\n| `php` | PHP Settings. | |\n| `pnmp` | PNPM Settings. | |\n| `python` | Python Settings. | |\n| `retiredEnabled` | whether or not the retired analyzers are enabled. | `false` |\n| `retireJS` | RetireJS Settings. | |\n| `ruby` | Ruby Settings. | |\n| `swift` | Swift Settings. | |\n| `versionFilterEnabled` | whether or not the Version Filter analyzer is enabled. | `true` |\n| `vulnerabilitySuppressionEnabled` | whether or not the Vulnerability Suppression analyzer is enabled. | `true` |\n| `yarn` | Yarn Settings. | |\n\nMost of the settings here are picked up from either the default `dependencycheck.properties`, or from source, thus these\ntables try to gather them as best effort.\n\n##### Artifactory Settings\n\n| Setting | Description | Default |\n|:-------------------|:-------------------------------------------------------------|:-------------------------------------------------------|\n| `enabled` | whether or not Artifactory is enabled | `false` |\n| `url` | Artifactory search URL | `null` |\n| `parallelAnalysis` | whether or not should use parallel processing | `null` (`true`) |\n| `apiToken` | Artifactory API token | `null` |\n| `username` | Artifactory username | `null` |\n| `bearerToken` | Artifactory bearer token | `null` |\n| `usesProxy` | whether or not the proxy should be used to reach Artifactory | `null` (`true` if proxy is enabled, `false` otherwise) |\n\n##### .NET Settings\n\n| Setting | Description | Default |\n|:------------------------|:-------------------------------------------------------------------|:--------|\n| `assemblyEnabled` | whether or not the .NET Assembly analyzer is enabled | `true` |\n| `assemblyPath` | The path to dotnet core, if available | `null` |\n| `nuspecEnabled` | whether or not the .NET Nuspec analyzer is enabled | `true` |\n| `nugetConfEnabled` | whether or not the .NET Nuget packages. config analyzer is enabled | `true` |\n| `libManEnabled` | whether or not the Libman analyzer is enabled | `true` |\n| `msBuildProjectEnabled` | whether the .NET MSBuild Project analyzer is enabled | `true` |\n\n##### Elixir Settings\n\n| Setting | Description | Default |\n|:------------------|:--------------------------------------------------------|:---------------------|\n| `mixAuditEnabled` | whether or not the Elixir mix audit analyzer is enabled | `true` |\n| `mixAuditPath` | The path to mix_audit, if available | `null` (`mix_audit`) |\n\n##### Golang Settings\n\n| Setting | Description | Default |\n|:----------------------------|:-------------------------------------------|:--------------|\n| `dependencyAnalyzerEnabled` | whether the Golang Dep analyzer is enabled | `true` |\n| `moduleAnalyzerEnabled` | whether the Golang Mod analyzer is enabled | `true` |\n| `path` | The path to go, if available | `null` (`go`) |\n\n##### Hints Settings\n\n| Setting | Description | Default |\n|:------------|:-------------------------------------|:--------|\n| `enabled` | whether the Hint analyzer is enabled | `true` |\n| `hintsFile` | path to the hints file | `null` |\n\n##### Known Exploited Vulnerabilities Settings\n\n| Setting | Description | Default |\n|:----------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------------------------------------------------------------------|\n| `enabled` | whether the Known Exploited Vulnerabilities analyzer is enabled | `true` |\n| `url` | the URL to retrieve the Known Exploited Vulnerabilities | `https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json` |\n| `username` | the known exploited vulnerabilities username. For use when known exploited vulnerabilities are mirrored locally on a site requiring HTTP-Basic-authentication | `null` |\n| `password` | the known exploited vulnerabilities password. For use when known exploited vulnerabilities are mirrored locally on a site requiring HTTP-Basic-authentication | `null` |\n| `bearerToken` | the known exploited vulnerabilities bearer token. For use when known exploited vulnerabilities are mirrored locally on a site requiring HTTP-Bearer-authentication | `null` |\n| `validForHours` | controls the skipping of the check for Known Exploited Vulnerabilities updates. | `24` |\n\n##### Maven Central Settings\n\n| Setting | Description | Default |\n|:-------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------|\n| `enabled` | whether the Maven Central analyzer is enabled | `true` |\n| `url` | the Maven Central search URL | `https://search.maven.org/solrsearch/select` |\n| `query` | the Maven Central search query | `%s?q=1:%s\u0026wt=xml` |\n| `usesCache` | whether Maven Central search results will be cached | `true` |\n| `retryCount` | the Maven Central analyzer request retry count | `7` |\n| `parallelAnalysis` | whether the Maven Central analyzer should use parallel processing | `false` |\n| `username` | the Username to obtain content from Maven Central. For use when the central content URL is reconfigured to a site requiring HTTP-Basic-authentication | `null` |\n| `password` | the Password to obtain content from Maven Central. For use when the central content URL is reconfigured to a site requiring HTTP-Basic-authentication | `null` |\n| `bearerToken` | the token to obtain content from Maven Central from an HTTP-Bearer-auth protected location. For use when the central content URL is reconfigured to a site requiring HTTP-Bearer-authentication | `null` |\n\n##### Nexus Settings\n\n| Setting | Description | Default |\n|:------------|:----------------------------------------|:-------------------------------------------------|\n| `enabled` | whether the Nexus analyzer is enabled | `false` |\n| `url` | the Nexus search URL | `https://repository.sonatype.org/service/local/` |\n| `username` | the Nexus search credentials username | `null` |\n| `password` | the Nexus search credentials password | `null` |\n| `usesProxy` | whether to use the proxy to reach Nexus | `true` |\n\n##### Node Settings\n\n| Setting | Description | Default |\n|:-----------------------------|:--------------------------------------------------------------|:------------------------------------------------------|\n| `auditEnabled` | whether the Node Audit analyzer is enabled | `true` |\n| `auditUrl` | the URL to the Node Audit API | `https://registry.npmjs.org/-/npm/v1/security/audits` |\n| `auditSkipDevDependencies` | whether the Node Audit analyzer should skip devDependencies | `null` (`false`) |\n| `auditUsesCache` | whether node audit analyzer results will be cached | `true` |\n| `packageEnabled` | whether the Node Package analyzer is enabled | `true` |\n| `packageSkipDevDependencies` | whether the Node Package analyzer should skip devDependencies | `null` (`false`) |\n| `npmCpeEnabled` | where the NPM CPE analyzer is enabled | `true` |\n\n##### Sonatype OSS Index Settings\n\n| Setting | Description | Default |\n|:-------------------------|:-------------------------------------------------------------------------------------------------------------------------------|:--------------------------------|\n| `enabled` | whether the Sonatype OSS Index analyzer is enabled | `true` |\n| `url` | the Sonatype OSS Index URL | `https://ossindex.sonatype.org` |\n| `batchSize` | the Sonatype OSS batch-size | `null` (128) |\n| `requestDelay` | the Sonatype OSS Request Delay. Amount of time in seconds to wait before executing a request against the Sonatype OSS Rest API | `null` (0) |\n| `useCache` | whether the Sonatype OSS Index should use a local cache | `true` |\n| `warnOnlyOnRemoteErrors` | only warning about Sonatype OSS Index remote errors instead of failing the request | `null` (`false`) |\n| `username` | the Sonatype OSS Index user | `null` |\n| `password` | the Sonatype OSS Index password | `null` |\n\n##### PHP Settings\n\n| Setting | Description | Default |\n|:----------------------------------|:---------------------------------------------------------------------|:-----------------|\n| `composerLockEnabled` | whether the PHP composer lock file analyzer is enabled | `true` |\n| `composerLockSkipDevDependencies` | whether the PHP composer lock file analyzer should skip dev packages | `null` (`false`) |\n\n##### PNPM Settings\n\n| Setting | Description | Default |\n|:----------|:-------------------------------------|:----------------|\n| `enabled` | whether the pnpm analyzer is enabled | `true` |\n| `path` | the path to pnpm if available | `null` (`pnpm`) |\n\n##### Python Settings\n\n| Setting | Description | Default |\n|:----------------------|:----------------------------------------------------|:--------|\n| `pipEnabled` | whether the pip analyzer is enabled | `true` |\n| `pipFileEnabled` | whether the pipfile analyzer is enabled | `true` |\n| `distributionEnabled` | whether the Python Distribution analyzer is enabled | `true` |\n| `packageEnabled` | whether the Python Package analyzer is enabled | `true` |\n| `poetryEnabled` | whether the Poetry analyzer is enabled | `true` |\n\n##### RetireJS Settings\n\n| Setting | Description | Default |\n|:----------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------|\n| `enabled` | whether the RetireJS analyzer is enabled | `true` |\n| `forceUpdate` | whether the RetireJS repository will be updated regardless of the autoupdate settings | `null` (`false`) |\n| `filters` | whether the RetireJS analyzer file content filters | `null` (\u003cempty\u003e) |\n| `filterNonVulnerable` | whether the RetireJS analyzer should filter out non-vulnerable dependencies | `false` |\n| `url` | the URL to the RetireJS repository | `https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json` |\n| `username` | the RetireJS Repository username. For use when the RetireJS Repository is mirrored on a site requiring HTTP-Basic-authentication | `null` |\n| `password` | the RetireJS Repository password. For use when the RetireJS Repository is mirrored on a site requiring HTTP-Basic-authentication | `null` |\n| `bearerToken` | the token to download the RetireJS JSON data from an HTTP-Bearer-auth protected location. For use when the RetireJS Repository is mirrored on a site requiring HTTP-Bearer-authentication. | `null` |\n| `validForHours` | to control the skipping of the check for CVE updates | `24` |\n\n##### Ruby Settings\n\n| Setting | Description | Default |\n|:------------------------------|:---------------------------------------------------|:---------------------------------------------------------|\n| `gemSpecEnabled` | whether the Ruby Gemspec Analyzer is enabled | `true` |\n| `bundleAuditEnabled` | whether the Ruby Bundler Audit analyzer is enabled | `true` |\n| `bundleAuditPath` | The path to bundle-audit, if available | `null` (`bundle-audit`) |\n| `bundleAuditWorkingDirectory` | bundle-audit working directory | `null` (where `bundle-audit` is contained, may be `pwd`) |\n\n##### Swift Settings\n\n| Setting | Description | Default |\n|:-------------------------|:-------------------------------------------------------|:--------|\n| `packageManagerEnabled` | whether the SWIFT package manager analyzer is enabled | `true` |\n| `packageResolvedEnabled` | whether the SWIFT package resolved analyzer is enabled | `true` |\n| `carthageEnabled` | whether the carthage analyzer is enabled | `true` |\n| `cocoapodsEnabled` | whether the cocoapods analyzer is enabled | `true` |\n\n##### Yarn Settings\n\n| Setting | Description | Default |\n|:----------|:-------------------------------------|:----------------|\n| `enabled` | whether the Yarn analyzer is enabled | `true` |\n| `path` | the path to Yarn if available | `null` (`yarn`) |\n\n### Running behind a proxy\n\nSBT and `sbt-dependency-check` both honor the standard http and https proxy settings for the JVM.\n\n```bash\nsbt -Dhttp.proxyHost=proxy.example.com \\\n -Dhttp.proxyPort=3218 \\\n -Dhttp.proxyUser=username \\\n -Dhttp.proxyPassword=password \\\n -Dproxy.nonproxyhosts=\"localhost|http://www.google.com\" \\\n dependencyCheck\n```\n\n### Changing Log Level\n\nAdd `-Dlog4j2.level=\u003clevel\u003e` when running a task, for example:\n\n```bash\nsbt -Dlog4j2.level=debug dependencyCheck\n```\n\nReplace `dependencyCheck` with the right [task name](#tasks) that you use for your project.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnmoncho%2Fsbt-dependency-check","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnmoncho%2Fsbt-dependency-check","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnmoncho%2Fsbt-dependency-check/lists"}