macOS
brew install dependency-checklocal Homebrew formula metadata
brew
OWASP dependency-check. Version 12.2.2 via Homebrew; verified 2026-06-23.
install
brew install dependency-checklocal Homebrew formula metadata
scoop install main/dependency-checkScoop official bucket manifest trees · bucket/dependency-check.json · source: api.github.com
overview
OWASP dependency-check
history
OWASP Dependency-Check is a long-running software composition analysis tool that detects publicly disclosed vulnerabilities in project dependencies. It maps dependencies to CPE identifiers and reports related CVE entries, putting vulnerability intelligence into command-line, build-tool, and CI workflows.
The official GitHub repository dates to 2012, and the OWASP project page describes Dependency-Check as an SCA tool suite for identifying dependencies and checking them against known public vulnerabilities. The project grew from a Java command-line scanner into a family of integrations for Maven, Gradle, Ant, Jenkins, and other build environments.
The README and generated CLI documentation show a project that has adapted to changes in vulnerability data distribution. Modern releases use the NVD API, recommend an NVD API key for acceptable update speed, and document analyzer behavior for ecosystems such as .NET, Go, npm, pnpm, yarn, Ruby, Maven, and Gradle.
Dependency-Check became a standard OWASP-branded option for teams that wanted vulnerability scanning without adopting a commercial SCA platform. Its availability as a standalone CLI, Maven plugin, Gradle plugin, Ant task, Jenkins plugin, GitHub releases, and Homebrew formula helped it travel through Java shops, CI servers, and security baselines.
The common command-line shape is `dependency-check --project <name> --scan <path> --out <dir>`, producing reports that list dependencies, matching CPEs, and CVEs. Build integrations usually wire the same engine into verification phases or CI jobs, while larger installations may use a shared data directory or centralized database to avoid repeatedly downloading vulnerability data.
Package nerds care about Dependency-Check because it sits at the messy join between language package metadata and vulnerability databases. Its CPE matching, analyzer requirements, NVD API migration, local data cache, and plugin ecosystem are all examples of the hard operational details behind a simple phrase like dependency vulnerability scan.
security posture
narrow executable package without higher-risk signals.
green risk · low confidence · appliance
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
dependency-check | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/dependency-check/DependencyCheck
install metadata
| Package key | brew:dependency-check |
|---|---|
| Version | 12.2.2 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/dependency-check |
| Homepage | https://owasp.org/www-project-dependency-check/ |
| Repository | https://github.com/dependency-check/DependencyCheck |
| Upstream docs | https://github.com/dependency-check/DependencyCheck#readme |
| License | Apache-2.0 |
| Source archive | https://github.com/dependency-check/DependencyCheck/releases/download/v12.2.2/dependency-check-12.2.2-release.zip |
| Last updated | 2026-06-23T11:38:03-04:00 |
| Pulse | updated |
| Dependencies | openjdk |
| Bottle | available (on all) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | dependency-check |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
main/dependency-check
scoop install main/dependency-checksource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.