OWASP Dependency Check

OWASP dependency-check is an open source solution that can be used to scan Java and .NET applications to identify the use of known vulnerable components.

Link

Adding OWASP Check to Gradle Projects

Adding following fragments to build.gradle

buildscript {
	repositories {
		mavenCentral()
	}
	dependencies {
		classpath 'org.owasp:dependency-check-gradle:5.2.2'
	}
}

plugins {
	id 'org.owasp.dependencycheck' version '5.2.2'
}

Gradle Task

./gradlew dependencyCheckAggregate

Configuring DependencyCheck

dependencyCheck {
	format='ALL'
    cveValidForHours=1
	outputDirectory = file("$project.buildDir/reports/dependencycheck")
	suppressionFile = 'config/dependencyCheck/suppressions.xml'
	failBuildOnCVSS = 5
  	failOnError = true
}

Sample Suppressions.xml

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
  <suppress>
    <notes><![CDATA[file name: postgresql-42.2.5.jar]]></notes>
    <gav regex="true">^org\.postgresql:postgresql:.*$</gav>
    <cve>CVE-2016-7048</cve>
  </suppress>
</suppressions>

Resources

Dependency Check Gradle