Which dependency check to use?

[bossenti]

We use two tools that check our dependencies for vulnerabilities:

On the one hand, there is the OWASP Dependency-Check that we use as a maven plugin during the check lifecycle phase. On the other hand, we have a GitHub Action using Google's OSV scanner for all our dependency systems (Maven, NPM, pip).

The OWASP Dependency-Check has recently released a new major release (9.0.0) and announced to stop support for all previous versions beginning from the 15th of December.

Therefore, I'd like to discuss how we want to proceed here. In my mind, I have the following options:

1. Drop OWASP Dependency-Check since int only covers Maven dependencies
2. Use OWASP Dependency-Check for Maven dependencies and the OSV scanner for the other ecosystems. This includes requesting an API Key for OWASP Dependency-Check, see here. In addition, I would like to suppose to only run the check explicitly and generate a report (similar to OSV).

What do you think? Are there any other options/ideas?

[tenthe]

Hi @bossenti,
thank you for getting the discussion going.
Do you see any disadvantages with option 1? Will it be enough to solely rely on Google's OSV?

[bossenti]

I can't assess
So far the OWASP check did just silently run within mvn check and only created some log messages (and maybe even a report file in the target directory) which I've never looked at

[dominikriemer]

+1 for removing the dependency check plugin and having a single scanner for all ecosystems