Docker-based self-updating central OWASP DependencyCheck Database Server. This is an out-of-the-box solution for the central Enterprise Setup described here. It is based on a MySQL database.
- Very fast analysis
- Self-updating, thus always up-to-date CVE data
- No manual central database setup required
- Analysis clients do not require internet access (see below)
- Improved reliability in case of connection issues to the NVD
In order to start the Database Server simply run
docker run -p 3306:3306 stefanneuhaus/dependencycheck-central-mysqlAll kinds of analysis clients are supported: Gradle, Maven, Ant, Jenkins, CLI. Apply the following changes to your build file:
- add buildscript dependency for
mysql:mysql-connector-java:5.1.44 - disable database updates triggered by your project:
autoUpdate = false - add database connection parameters:
data { ... }
Example (Gradle):
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath 'org.owasp:dependency-check-gradle:3.1.2'
classpath 'mysql:mysql-connector-java:5.1.44'
}
}
apply plugin: 'org.owasp.dependencycheck'
dependencyCheck {
autoUpdate = false
data {
connectionString = "jdbc:mysql://<DC_HOST>:3306/dependencycheck?useSSL=false"
driver = "com.mysql.jdbc.Driver"
username = "dc"
password = "change-me"
}
}Start the Dependency Analysis:
./gradlew dependencyCheckAnalyzeUpdates of the Database are triggered on the hour. Note that the initial update can take quite some time (~30 min on my machine). In order to get reliable analysis results the initial update must have finished successfully. Subsequent updates are incremental ones and should finish within a couple of seconds.
Plugin versions used in your project to be analyzed (client) usually stay compatible to the DependencyCheck Enterprise Docker Database (server) for a long time. All client/server combinations with version >= 1.4.1 should work together.
- Clients do not require internet access in general. Clients that want to use the so called "Central Analyzer" (enabled per default) need HTTP/HTTPS access in order to connect to Maven Central Repository. See OWASP DependencyCheck documentation for further information.