Shim to easily install the OWASP dependency-check-cli tool into Python projects.
dependency-check scans application dependencies and checks whether they contain any published vulnerabilities
(based on the NIST NVD).
It runs in the JVM, so you need some form of
java available in your
The script should work on Linux, Mac OSX and Windows, but right now is only tested on Linux.
After installation, you'll have the
dependency-check command available that, on first use,
will automatically download and install the OWASP release archive once for all projects.
It'll then redirect any calls to that installation, meaning the downloaded NVD data is shared
dependency-check --disableAssembly -s . -o build --project "$(python ./setup.py --name)" \ --exclude ".git/**" --exclude ".venv/**" --exclude "**/__pycache__/**" --exclude ".tox/**" \ && xdg-open build/dependency-check-report.html
Please see the DependencyCheck site for more configuration and usage details.
To install from PyPI, add
dependency-check to your
or a similar file. For more installation options, see the Installation section below.
Using environment variables, you can change the version and download location of the release archive, and the directory for the local installation.
||Use NIST NVD URLs|
To update to a new version of the OWASP software,
DEPENDENCY_CHECK_VERSION to the new version number,
DEPENDENCY_CHECK_NVD_URL can be used to point to a local copy of the various NVD feeds,
in a flat hierarchy with compressed JSON files.
If you set this, the options
--cveUrlModified will be added to each call.
Note that the
%d representing the year is replaced by
modified for the latter.
~/.local/dependency-check/data/ directory to force a full data reload.
To just get the
dependency-check CLI tool installed into your home,
independent of any project, call
python3 -m pip install --user dependency-check as usual,
see releases for an overview of available versions.
If you prefer an isolated and easily removable venv installation, consider using dephell jail install dependency-check instead.
To get a bleeding-edge version from source, use these commands:
repo="jhermann/dependency-check-py" python3 -m pip install -r "https://raw.githubusercontent.com/$repo/master/requirements.txt" python3 -m pip install "https://github.com/$repo/archive/master.zip#egg=dependency-check"
As a developer, to create a working directory for this project, call these commands:
git clone "https://github.com/jhermann/dependency-check-py.git" cd "dependency-check-py" command . .env --yes --develop invoke build --docs test check
You might also need to follow some setup procedures to make the necessary basic commands available on Linux, Mac OS X, and Windows.