In this section:
OWASP dependency-check is an open source tool that scans Java and .NET projects and identifies the use of known vulnerable components. Parasoft OWASP Dependency Check Pack reads the results the OWASP dependency-check tool and reports vulnerabilities to Parasoft DTP in a standardized format. This enables DTP to present the data in widgets and to provide remediation paths for addressing the vulnerabilities.
Vulnerabilities are reported in DTP as violations of the OWASP Top 10 2013 entry: A9 Using Components with Known Vulnerabilities guideline. Merging the OWASP Dependency Check Pack data with code analysis results from Parasoft Jtest or dotTEST enables the full implementation of your OWASP security compliance initiative.
Oracle Java Runtime 8 or higher
DISPLAYvariable must be set and access control must be disabled for the
xtest +). This is required to ensure that overview images in HTML reports display correctly.
The OWASP Dependency Check Pack is shipped with the Parasoft Security Bundle.
For DTP to display the OWASP dependency-check rule documentation, the rules shipped with the OWASP Dependency Check Pack must be copied to the DTP rules directory.
Copy the contents of the <DEPENDENCY_CHECK_INSTALL>/rulesdoc/dependencycheck/ directory to the <DTP_INSTALL>/tomcat/webapps/grs/rulesdoc/ directory.
After copying the rules, documentation associated with OWASP dependency-check violations will be available in DTP interfaces, such as the Documentation tab of the Violations Explorer.
The OWASP Dependency Check Pack is a separate tool and must connect to DTP to acquire a license and to send results to your DTP project. Specify the following settings in the settings.properties file located in the installation directory:
Specifies the host name of the DTP server.
Specifies the DTP port number. Default is
Specifies the user name for DTP authentication.
Specifies the user password for DTP authentication. You can encode your DTP password by running the dependency.sh or .bat with the
-encodepass parameter. For example:
Specifies the name of the existing DTP project that you want to link to.
Specifies the build that the data should be associated with. For accurate results, the build ID should match the build ID configured in your static analysis tool
If you have not already done so, execute OWASP dependency-check. The results should be output to an XML file.
Open a command prompt and navigate to the OWASP Dependency Check Pack installation directory.
Execute the .BAT or .SH script with specifying the OWASP dependency-check results using the
-results.file parameter, e.g.:
-results.file is the only required parameter, but you can pass the following optional parameters:
This settings specifies the location for generated log files. The recommended location is
By default, the OWASP Dependency Check Pack will reference the settings.properties file in the installation directory, but you can use this setting to point to alternate configuration files. Example:
After executing the OWASP Dependency Check Pack, results are output in two ways: