Dependency Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies.
OWASP Dependency Check
Dependency-Check is a software composition analysis utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently, Java and .NET are supported; additional experimental support has been added for Ruby, Node.js, Python, and limited support for C/C++ build systems (autoconf and cmake). The tool can be part of a solution to the OWASP Top 10 2017 A9-Using Components with Known Vulnerabilities previously known as OWASP Top 10 2013 A9-Using Components with Known Vulnerabilities.
The OWASP Dependency Check Azure DevOps Extension enables the following features in an Azure Build Pipeline:
Software composition analysis runs against package references during each build
Export vulnerability data to HTML, JSON, XML, CSV, JUnit formatted reports
Download vulnerability reports from the build's artifacts
Execute the pipeline and wait for the build to complete.
Review the build logs and ensure the the Dependency Check task successfully completed.
Click on the Dependency Check build task to view the build output.
Dependency Check Reports
Each of the selected report formats are uploaded to the Artifacts for downloading.
Select Dependency Check to open the Artifact Explorer and download the Dependency Check reports.
Dependency Check supports exporting the results to JUNIT formatted test results. To parse the JUNIT test results, create a new Publish Test Results build task with the following configuration.
View the Tests screen to view the passing and failing Dependency Check tests.