How does it work?

Dependency-check works by collecting information about the files it scans (using Analyzers). We currently do not utilize file hashes - I've found these to be unreliable because if the dependency was built from source the hash likely won't match.

The information collected is called Evidence; there are three types of evidence collected: vendor, product, and version. For instance, the JarAnalyzer will collect information from the Manifest, pom.xml, and the package names within the JAR.

Within the NVD CVE Data (schema can be found here) each CVE Entry has a list of vulnerable software:

  <entry id="CVE-2012-5055">
  ...
    <vuln:vulnerable-software-list>
      <vuln:product>cpe:/a:vmware:springsource_spring_security:3.1.2</vuln:product>
      <vuln:product>cpe:/a:vmware:springsource_spring_security:2.0.4</vuln:product>
      <vuln:product>cpe:/a:vmware:springsource_spring_security:3.0.1</vuln:product>

These CPE entries are read "cpe:/[Entry Type]:[Vendor]:[Product]:[Version]:[Revision]:...". This information is collected and stored in a Lucene Index. We then use the Evidence collected and attempt to match an entry from the Lucene CPE Index. If found, the CPEAnalyzer will add an Identifier to the Dependency.

Once we have an Identifier - the NvdCveAnalyzer will look-up the associated CVE entries from a local H2 Database that was created by dependency-check.

Finally, a report is generated using Velocity Templates.