How does it work?

DependencyCheck works by collecting information about the files it scans (using Analyzers). The information collected is called Evidence; there are three types of evidence collected: vendor, product, and version. For instance the JarAnalyzer will collect information from the Manifest, pom.xml, and the package names within the JAR.

Within the NVD CVE Data (schema can be found here) each CVE Entry has a list of vulnerable software: <entry id="CVE-2012-5055"> <vuln:vulnerable-software-list> <vuln:product>cpe:/a:vmware:springsource_spring_security:3.1.2</vuln:product> <vuln:product>cpe:/a:vmware:springsource_spring_security:2.0.4</vuln:product> <vuln:product>cpe:/a:vmware:springsource_spring_security:3.0.1</vuln:product>

These CPE entries are read like "cpe:/[Entry Type]:[Vendor]:[Product]:[Version]:[Revision]:...". This information is collected and stored in a Lucene Index. We then use the Evidence collected and attempt to match an entry from the Lucene CPE Index. If found, the CPEAnalyzer will add an Identifier to the Dependency.

Once we have an Identifier - the NvdCveAnalyzer will look-up the associated CVE entries from a local H2 Database that was created by DependencyCheck.

Finally, a report is generated using Velocity Templates.