File Type Analyzers
OWASP dependency-check contains several analyzers that are used to extract identification information from the files analyzed.
| Analyzer | File Types Scanned | Analysis Method |
|---|---|---|
| Archive | Zip archive format (*.zip, *.ear, *.war, *.jar, *.sar, *.apk, *.nupkg); Tape Archive Format (*.tar); Gzip format (*.gz, *.tgz); Bzip2 format (*.bz2, *.tbz2); RPM format (*.rpm) | Extracts archive contents, then scans contents with all available analyzers. |
| Assembly | .NET Assemblies (*.exe, *.dll) | Uses GrokAssembly.exe; requires the dotnet core 8.0 runtime to be installed. |
| Jar | Java archive files (*.jar); Web application archive (*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). |
| MS Build | MS Build files (*.csproj, *.vbproj) | Parses the project files, including related directory build or package properties, to gather dependency information. |
| Node Package | NPM package specification files (package.json) | Parses the package.json to gather dependency information for a Node JS project. |
| Node Audit | NPM package lock files (package-lock.json, npm-shrinkwrap.json) | Uses the npm audit APIs to report on known vulnerable node.js libraries. This analyzer requires an Internet connection. |
| Nugetconf | Nuget packages.config file | Uses XPath to parse specification XML. |
| Nuspec | Nuget package specification file (*.nuspec) | Uses XPath to parse specification XML. |
| OpenSSL | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. |
| PNPM Audit | PNPM lock files (pnpm-lock.yaml) |
Uses the PNPM CLI audit command to analyze lock files and retrieve vulnerabilities from the NPM Audit APIs. |
| RetireJS | JavaScript files | Analyzes JavaScript files using the RetireJS database. |
| Ruby bundler‑audit | Ruby Gemfile.lock files |
Executes bundle-audit and incorporates the results into the dependency-check report. |
| Yarn Audit | Yarn lock files (yarn.lock) |
Uses the Yarn CLI audit command to analyze lock files and retrieve vulnerabilities from the NPM Audit APIs. |
Augmenting Analyzers
These analyzers augment file type analyzers by sourcing additional metadata and vulnerability information from other data sources. In contrast to the file type analyzers, they are not always limited to a specific file type, and rely on other analyzers to discover relevant dependencies.
| Analyzer | File Types Scanned | Analysis Method |
|---|---|---|
| OSS Index | All dependencies whose PURL/Package URL can be determined. | Uses the Sonatype Guide OSS Index APIs to report on vulnerabilities not found in the NVD. This analyzer requires an internet connection, and authentication is mandatory. |
| Central | Java archive files (*.jar) | Uses dependency hashes to query Maven Central for more reliable Maven Project Object Module metadata (pom.xml) for vulnerability matching. |
| Artifactory | Java archive files (*.jar) | Uses dependency hashes to query Artifactory Repositories for more reliable Maven Project Object Module metadata (pom.xml) for vulnerability matching. |
| Nexus | Java archive files (*.jar) | Uses dependency hashes to query Sonatype Nexus for more reliable Maven Project Object Module metadata (pom.xml) for vulnerability matching. |
Experimental Analyzers
The following analyzers can be enabled by enabling the experimental configuration option; see the documentation for the CLI, Ant, Maven, etc. for more information. These analyzers are considered experimental due to the higher false positive and false negative rates. Even though these are marked as experimental several teams have found them useful in their current state.
| Analyzer | File Types Scanned | Analysis Method |
|---|---|---|
| Autoconf | Autoconf project configuration files (configure, configure.in, configure.ac) | Regex scan for AC_INIT metadata, including in generated configuration script. |
| CMake | CMake project files (CMakeLists.txt) and scripts (*.cmake) | Regex scan for project initialization and version setting commands. |
| CocoaPods | CocoaPods .podspec files |
Extracts dependency information from specification file. |
| Carthage | Carthage Cartfile.resolved files |
Extracts dependency information from specification file. |
| Composer Lock | PHP Composer Lock files (composer.lock) | Parses PHP Composer lock files for exact versions of dependencies. |
| CPAN File | Perl cpanfile Lock files (composer.lock) | Parses Perl cpanfile files for dependencies. |
| Dart | pubspec.yaml, pubspec.lock |
Extracts dependency information from specification files. |
| Golang mod | go.mod |
Uses go mod to determine exactly which dependencies are used. |
| Golang dep | Gopkg.lock |
Analyzes the lock file directly to parse dependency information. |
| PE Analyzer | PE DLL and EXE |
Analyzes the PE Headers to obtain dependency information. |
| Python | Python source files (*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (*.whl, *.egg, *.zip) | Regex scan of Python source files for setuptools metadata; Parse RFC822 header format for metadata in all other artifacts. |
| Pip | Python Pip requirements.txt files | Regex scan of requirements.txt. |
| Ruby Gemspec | Ruby makefiles (Rakefile); Ruby Gemspec files (*.gemspec) | Regex scan Gemspec initialization blocks for metadata. |
| SWIFT | SWIFT Package Manager's Package.swift |
Extracts dependency information from swift package file. |