Automic VaultAutomic Vault

brew

Install dependency-check with Homebrew, scoop

OWASP dependency-check. Version 12.2.2 via Homebrew; verified 2026-06-23.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install dependency-check

local Homebrew formula metadata

Windows

Scoopverified · 92%
scoop install main/dependency-check

Scoop official bucket manifest trees · bucket/dependency-check.json · source: api.github.com

overview

Package summary

OWASP dependency-check

Commands and aliases

  • dependency-check

history

Project history and usage

OWASP Dependency-Check is a long-running software composition analysis tool that detects publicly disclosed vulnerabilities in project dependencies. It maps dependencies to CPE identifiers and reports related CVE entries, putting vulnerability intelligence into command-line, build-tool, and CI workflows.

Project history

The official GitHub repository dates to 2012, and the OWASP project page describes Dependency-Check as an SCA tool suite for identifying dependencies and checking them against known public vulnerabilities. The project grew from a Java command-line scanner into a family of integrations for Maven, Gradle, Ant, Jenkins, and other build environments.

The README and generated CLI documentation show a project that has adapted to changes in vulnerability data distribution. Modern releases use the NVD API, recommend an NVD API key for acceptable update speed, and document analyzer behavior for ecosystems such as .NET, Go, npm, pnpm, yarn, Ruby, Maven, and Gradle.

Adoption history

Dependency-Check became a standard OWASP-branded option for teams that wanted vulnerability scanning without adopting a commercial SCA platform. Its availability as a standalone CLI, Maven plugin, Gradle plugin, Ant task, Jenkins plugin, GitHub releases, and Homebrew formula helped it travel through Java shops, CI servers, and security baselines.

How it is used

The common command-line shape is `dependency-check --project <name> --scan <path> --out <dir>`, producing reports that list dependencies, matching CPEs, and CVEs. Build integrations usually wire the same engine into verification phases or CI jobs, while larger installations may use a shared data directory or centralized database to avoid repeatedly downloading vulnerability data.

Why package nerds care

Package nerds care about Dependency-Check because it sits at the messy join between language package metadata and vulnerability databases. Its CPE matching, analyzer requirements, NVD API migration, local data cache, and plugin ecosystem are all examples of the hard operational details behind a simple phrase like dependency vulnerability scan.

Timeline

  • 2012: Official DependencyCheck repository created.
  • 2012: OWASP Dependency-Check copyright period begins in generated project documentation.
  • 2024: Version 9.0.0 and later moved from NVD data feeds to the NVD API.
  • 2026: CLI documentation published for version 12.2.2.

Related projects

  • Related official surfaces include dependency-check-core, dependency-check-cli, dependency-check-maven, dependency-check-gradle, dependency-check-ant, and the Jenkins plugin.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 1 platform targets.
  • Installs with 1 runtime dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
dependency-checkcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version12.2.2
manager updated2026-06-23
local dataok
upstreamnot checked
latest detectednot detected

https://github.com/dependency-check/DependencyCheck

install metadata

Package metadata

Package keybrew:dependency-check
Version12.2.2
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/dependency-check
Homepagehttps://owasp.org/www-project-dependency-check/
Repositoryhttps://github.com/dependency-check/DependencyCheck
Upstream docshttps://github.com/dependency-check/DependencyCheck#readme
LicenseApache-2.0
Source archivehttps://github.com/dependency-check/DependencyCheck/releases/download/v12.2.2/dependency-check-12.2.2-release.zip
Last updated2026-06-23T11:38:03-04:00
Pulseupdated
Dependenciesopenjdk
Bottleavailable (on all)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namedependency-check
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Scoop95%

main/dependency-check

scoop install main/dependency-check
  • normalized package name match
  • Matched by: Dependency Check
Scoop official bucket manifest trees · api.github.com · Scoop official bucket manifest trees: bucket/dependency-check.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment