Dependency-Check 是一种软件组合分析 (SCA) 工具，它会检测项目依赖项中包含的公开披露的漏洞。

DependencyCheck下载地址：

• https://github.com/jeremylong/DependencyCheck/releases/download/v7.3.2/dependency-check-7.3.2-release.zip

• https://search.maven.org/#artifactdetails%7Corg.owasp%7Cdependency-check-maven%7C7.3.2%7Cmaven-plugin

三方依赖检查工具DependencyCheck首次运行会下载nvd/cve漏洞库，报告不太友好，自己写一个。

在mvnrepository.com查询，url规则：

https://mvnrepository.com/artifact/<groupid>/<artifactid>/<verison>

漏洞关键字查找

举例：

XXE:

• SAXReader

• SAXBuilder

• SAXParser

• XMLReader

• DocumentBuilder

• XMLStreamReader

SSRF:

• HttpURLConnection

• URL

• ImageIO

• HttpClient

• Socket

• OkHttpClient

• SimpleDriverDataSource

• DriverManager