This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • About OWASP Dependency Check

Access to add and change pages is restricted. See:

Skip to end of metadata
Go to start of metadata


Please refer to history for information on released and older trunk versions. The links might fail though, since the OFBiz svn repo structure has changed while splitting frameworks from plugins.


OWASP Dependency Check is a tool for checking the Java libraries you use have no security issues. We use it through a Gradle plugin.
Once the CVEs references the Gradle dependencies are up to date, as of 2016/09/05, it takes 3,5 minutes on a standard machine to check the dependencies (it was 2+ minutes before Gradle)

Here is the Gradle command line to use to start the check:

gradlew -PenableOwasp dependencyCheckAnalyze

Trunk reports

Here is the last report file for the trunk

There is also the tools\security folder with some information in OFBiz trunk repo...

Since OFBiz uses Gradle, all dependent libraries (ie also dependencies from the libraries OFBiz uses and recursively) are loaded by Gradle and analysed by the OWASP Dependency Check plugin. So it's materially impossible to check all the possible vulnerabilities. I decided to only check the higher ones, currently (2017-09-29) we have only already know ones:

As you can check in the main build.gradle, those 2 libs are not directly used by OFBiz but by libs used by plugins (like Birt).

The other HIGHEST are only dependencies on dependencies. In both cases it's impossible to do otherwise anyway (though we should upgrade Birt...)