DependencyCheck
OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies. (by jeremylong)
Error Prone
Catch common Java mistakes as compile-time errors (by google)
Our great sponsors
| DependencyCheck | Error Prone | |
|---|---|---|
| 11 | 16 | |
| 5,863 | 6,716 | |
| - | 0.6% | |
| 9.4 | 9.4 | |
| 7 days ago | 7 days ago | |
| Java | Java | |
| Apache License 2.0 | Apache License 2.0 |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
DependencyCheck
Posts with mentions or reviews of DependencyCheck.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2023-06-14.
- OWASP dependency check (<9.0.0) could fail to work after Dec 15th, 2023
-
How To Secure Your JavaScript Applications
Use Security Tools: To identify known vulnerabilities in your project's dependencies, you can utilize commands like npm audit or employ third-party security scanners such as DependencyCheck or Dependabot. These tools thoroughly analyze the dependency tree and offer actionable insights to assist you in resolving any identified vulnerabilities.
-
Do you use dependency analysis and vulnerability detection tools?
OWASP DependencyCheck - a really decent tool for scanning your project for vulnerable dependencies. It is actively developed and updated and up to date with the most latest vulnerabilities. Sometimes it can be a pain in the ass, though. Some security researchers and such find a vulnerability, publish it and the next day our CI/CD pipelines fail (the dependency check build step prevents the code from going to production). And not always there is a fix available. So, some vulnerabilities have to be ignored, temporarily. Also, to be able to ignore a vulnerability one has to do a fast risk assessment. And that will require from him to read about the vulnerability and decide if it is safe to be ignored or some different workaround must be found.
-
The ultimate guide to Java Security Vulnerabilities (CVE)
The ultimate guide somehow fails to mention the best CVE checker: https://github.com/jeremylong/DependencyCheck
-
Is Clojure suitable for my use cases?
We run https://github.com/jeremylong/DependencyCheck over our dependency tree regularly, via this Clojure wrapper: https://github.com/clj-holmes/clj-watson which tells us the dependency tree path to each item that has a CVE and also the version in which the CVE is addressed, if known.
-
Gitlab community dependency scanning
We use OWASP dependency-check and pass reports to SonarQube.
-
Security in CICD / DevSecOps
From OWASP for those class of tools you could look into DependencyCheck and DependencyTrack
- Is there a tool to track CVEs for the software that we use?
-
Does anybody know any good materials for java defensive coding please?.
DependencyCheck is an open source tool that checks for vulnerabilities in dependencies used within a project. While it is a reactive tool, it's an important one since the code a developer writes is not the only code an application uses.
-
Are there any tools I can use to safely upgrade my Nuget packages? What are some strategies I can incorporate?
One more aspect to consider, although I know it is not the primary ask of the post, is to be sure and run something like dependency check on your repository. There are quite a few vulnerabilities being injected through the packaging process these days.
Error Prone
Posts with mentions or reviews of Error Prone.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2023-05-27.
-
Any library you would like to recommend to others as it helps you a lot? For me, mapstruct is one of them. Hopefully I would hear some other nice libraries I never try.
error-prone is good for some extra static analysis.
-
How to use Java Records
A special kind of validation is enforcing that record fields are not null. (Un)fortunately, records do not have any special behavior regarding nullability. You can use tools like NullAway or Error Prone to prevent null in your code in general, or you can add checks to your records:
- Prusti: Static Analyzer for Rust
-
Why is `suspend` a language keyword, but @Composable and @Serializable are annotations
I am all in favour to more third side libraries adding functionalities, like Lombok, Manifold and error prone. As well as smaller projects like this shameless plug and what appears in this list
-
Picnic loves Error Prone: producing high-quality and consistent Java code
If only Google didn't suck when it came to Java9+ support... https://github.com/google/error-prone/issues/2649
-
What does the future hold for Project Amber?
I haven't used it. I use Google's ErrorProne + Lombok to prevent NPEs in java.
-
Plans for Compile-time Null Pointer Safety?
Take a look at NullAway, a plugin for Error Prone.
-
What I miss in Java, the perspective of a Kotlin developer
For some of this stuff, there are compiler extensions that allow extra type checking to be added e.g. Google Error-Prone: https://github.com/google/error-prone with stuff like: https://errorprone.info/bugpattern/ReturnMissingNullable.
Doesn't help you with third party libraries, but across an org applying that rule (and others!) typically ensures some consistency.
-
A guide on how to improve your coding skills with static code analysis.
How to build a static analysis plugin. Google has a framework for Java with a good tutorial.
- Error Prone 2.11.0 Released. Requires JDK11+
What are some alternatives?
When comparing DependencyCheck and Error Prone you can also consider the following projects:
dependency-track - Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
Spotbugs - SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.
SonarQube - Continuous Inspection
opencve - CVE Alerting Platform
PMD - An extensible multilanguage static code analyzer.
openvas-scanner - This repository contains the scanner component for Greenbone Community Edition.
Checkstyle - Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. By default it supports the Google Java Style Guide and Sun Code Conventions, but is highly configurable. It can be invoked with an ANT task and a command line program.
uml-reverse-mapper - Automatically generate class diagram from code. Supports Graphviz, PlantUML and Mermaid output formats.
FindBugs - The new home of the FindBugs project
slsa - Supply-chain Levels for Software Artifacts
infer - A static analyzer for Java, C, C++, and Objective-C
DependencyCheck vs dependency-track
Error Prone vs Spotbugs
DependencyCheck vs SonarQube
Error Prone vs SonarQube
DependencyCheck vs opencve
Error Prone vs PMD
DependencyCheck vs openvas-scanner
Error Prone vs Checkstyle
DependencyCheck vs uml-reverse-mapper
Error Prone vs FindBugs
DependencyCheck vs slsa
Error Prone vs infer