arguments.md

Command Line Arguments

The following table lists the command line arguments:

Short	Argument Name	Parameter	Description	Requirement
	--project	<name>	The name of the project being scanned.	Optional
-s	--scan	<path>	The path to scan - this option can be specified multiple times. It is also possible to specify Ant style paths (e.g. 'directory/**/*.jar'); if using an Ant style path it is highly recommended that you use single quotes around the path so that the shell itself does not automatically perform replacements (see issue #1812.	Required
	--exclude	<pattern>	The path patterns to exclude from the scan - this option can be specified multiple times. This accepts Ant style path patterns (e.g. /exclude/).	Optional
	--symLink	<depth>	The depth that symbolic links will be followed; the default is 0 meaning symbolic links will not be followed.	Optional
-o	--out	<path>	The folder to write reports to. This defaults to the current directory. If the format is not set to ALL one could specify a specific file name.	Optional
-f	--format	<format>	The output format to write to (XML, HTML, CSV, JSON, JUNIT, SARIF, ALL). Multiple formats can be specified by specifying the parameter multiple times. The default is HTML.	Required
	--junitFailOnCVSS	<score>	If using the JUNIT report format the junitFailOnCVSS sets the CVSS score threshold that is considered a failure. The default is 0.	Optional
	--prettyPrint		When specified the JSON and XML report formats will be pretty printed.	Optional
	--failOnCVSS	<score>	If the score set between 0 and 10 the exit code from dependency-check will indicate if a vulnerability with a CVSS score equal to or higher was identified.	Optional
-l	--log	<file>	The file path to write verbose logging information.	Optional
-n	--noupdate		Disables the automatic updating of the CPE data.	Optional
	--suppression	<files>	The file paths to the suppression XML files; used to suppress false positives. This can be specified more than once to utilize multiple suppression files. The argument can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see #1878 (comment))	Optional
-h	--help		Print the help message.	Optional
	--advancedHelp		Print the advanced help message.	Optional
-v	--version		Print the version information.	Optional
	--cveValidForHours	<hours>	The number of hours to wait before checking for new updates from the NVD. The default is 4 hours.	Optional
	--enableExperimental		Enable the experimental analyzers. If not set the analyzers marked as experimental below will not be loaded or used.	Optional
	--enableRetired		Enable the retired analyzers. If not set the analyzers marked as retired below will not be loaded or used.	Optional

Advanced Options

Short	Argument Name	Parameter	Description	Default Value
	--cveUrlModified	<url>	URL for the modified CVE JSON data feed. When mirroring the NVD you must mirror the *.json.gz and the *.meta files. Optional if your custom cveUrlBase is just a domain name change.	https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-modified.json.gz
	--cveUrlBase	<url>	Base URL for each year's CVE JSON data feed, the %d will be replaced with the year.	https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-%d.json.gz
	--cveUser	<username>	Credentials used for basic authentication for the CVE data.
	--cvePassword	<password>	Credentials used for basic authentication for the CVE data.
	--cveStartYear	<year>	The first year of NVD CVE data to retrieve.	2002
	--cveDownloadWait	<milliseconds>	The number of milliseconds to wait between NVD CVE download.	4000
	--hints	<file>	The file path to the XML hints file - used to resolve false negatives
-P	--propertyfile	<file>	Specifies a file that contains properties to use instead of application defaults.
	--updateonly		If set only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated.
	--disableFileName		Disables the File Name Analyzer; in generally, this should not be disabled.
	--disablePyDist		Sets whether the experimental Python Distribution Analyzer will be used.
	--disablePyPkg		Sets whether the experimental Python Package Analyzer will be used.
	--disableMSBuild		Sets whether the MS Build Project Analyzer will be used.
	--disableNodeJS		Sets whether the Node.js Package Analyzer will be used.
	--disableYarnAudit		Sets whether the yarn Audit Analyzer will be used. This analyzer requires an internet connection and that yarn is installed. Use --nodeAuditSkipDevDependencies to skip dev dependencies.
	--yarn	<path>	The path to yarn.
	--disablePnpmAudit		Sets whether the pnpm Audit Analyzer will be used. This analyzer requires an internet connection and that pnpm is installed. Use --nodeAuditSkipDevDependencies to skip dev dependencies.
	--pnpm	<path>	The path to pnpm.
	--disableNodeAudit		Sets whether the Node Audit Analyzer will be used. This analyzer requires an internet connection.
	--disableNodeAuditCache		When the argument is present the Node Audit Analyzer will not cache results. By default the results are cached for 24 hours.
	--nodeAuditSkipDevDependencies		Configures the Node Audit Analyzer to skip devDependencies.
	--nodePackageSkipDevDependencies		Configures the Node Package Analyzer to skip devDependencies.
	--disableRetireJS		Sets whether the RetireJS Analyzer will be used.
	--retireJsForceUpdate		Sets whether the RetireJS Analyzer will update regardless of the noupdate argument.	false
	--retireJsUrl	<url>	The URL to the Retire JS repository.	https://raw.githubusercontent.com/Retirejs/retire.js/master/repository/jsrepository.json
	--retirejsFilter	<pattern>	The RetireJS Analyzers content filter used to exclude JS files when the content contains the given regular expression; this option can be specified multiple times.
	--retirejsFilterNonVulnerable		Specifies that the Retire JS Analyzer should filter out non-vulnerable JS files from the report.
	--disableRubygems		Sets whether the experimental Ruby Gemspec Analyzer will be used.
	--disableBundleAudit		Sets whether the experimental Ruby Bundler Audit Analyzer will be used.
	--disableCocoapodsAnalyzer		Sets whether the experimental Cocoapods Analyzer will be used.
	--disableSwiftPackageManagerAnalyzer		Sets whether the experimental Swift Package Manager Analyzer will be used.
	--disableSwiftPackageResolvedAnalyzer		Sets whether the experimental Swift Package Resolved Analyzer will be used.
	--disableAutoconf		Sets whether the experimental Autoconf Analyzer will be used.
	--disableOpenSSL		Sets whether the OpenSSL Analyzer will be used.
	--disableCmake		Sets whether the experimental Cmake Analyzer will be disabled.
	--disableArchive		Sets whether the Archive Analyzer will be disabled.
	--zipExtensions	<strings>	A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed.
	--disableJar		Sets whether the Jar Analyzer will be disabled.
	--disableComposer		Sets whether the experimental PHP Composer Lock File Analyzer will be disabled.
	--disableCpan		Sets whether the experimental Perl CPAN File Analyzer will be disabled.
	--disableDart		Sets whether the experimental Dart Analyzer will be disabled.
	--disableOssIndex		Sets whether the OSS Index Analyzer will be disabled. This analyzer requires an internet connection.
	--disableOssIndexCache		When the argument is present the OSS Index Analyzer will not cache results. By default results are cached for 24 hours.
	--ossIndexUsername	<username>	The optional username to connect to Sonatype's OSS Index.
	--ossIndexPassword	<password>	The optional password to connect to Sonatype's OSS Index.
	--ossIndexRemoteErrorWarnOnly		Whether we should only warn about Sonatype OSS Index remote errors instead of failing completely.
	--disableCentral		Sets whether the Central Analyzer will be used. Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly). If this analyzer is being disabled there is a good chance you also want to disable the Artifactory or Nexus Analyzer.
	--disableCentralCache		When the argument is present the Central Analyzer will not cache results locally. By default results are cached locally for 30 days.
	--enableNexus		Sets whether the Nexus Analyzer will be used (requires Nexus v2 or Pro v3). You can configure the Nexus URL to utilize an internally hosted Nexus server.
	--enableArtifactory		Sets whether Artifactory analyzer will be used
	--artifactoryUrl	<url>	The Artifactory server URL.
	--artifactoryUseProxy	<true|false>	Whether Artifactory should be accessed through a proxy or not.	false
	--artifactoryParallelAnalysis	<true|false>	Whether the Artifactory analyzer should be run in parallel or not	true
	--artifactoryUsername	<username>	The user name (only used with API token) to connect to Artifactory instance
	--artifactoryApiToken	<token>	The API token to connect to Artifactory instance, only used if the username or the API key are not defined by artifactoryAnalyzerServerId, artifactoryAnalyzerUsername or artifactoryAnalyzerApiToken.
	--artifactoryBearerToken	<token>	The bearer token to connect to Artifactory instance
	--nexus	<url>	The url to the Nexus Server's web service end point (example: http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled.
	--nexusUser	<username>	The username to authenticate to the Nexus Server's REST API Endpoint. If not set the Nexus Analyzer will use an unauthenticated connection.
	--nexusPass	<password>	The password to authenticate to the Nexus Server's REST API Endpoint. If not set the Nexus Analyzer will use an unauthenticated connection.
	--nexusUsesProxy	<true|false>	Whether or not the defined proxy should be used when connecting to Nexus.	true
	--disableNuspec		Sets whether the .NET Nuget Nuspec Analyzer will be used.
	--disableNugetconf		Sets whether the experimental .NET Nuget packages.config Analyzer will be used.
	--disableAssembly		Sets whether the .NET Assembly Analyzer should be used.
	--dotnet	<path>	The path to dotnet core for .NET Assembly analysis on non-windows systems.
	--disableGolangDep		Sets whether the experimental Go Dependency Analyzer should be used.
	--disableGolangMod		Sets whether the experimental Go Mod Analyzer should be used.
	--disableMixAudit		Sets whether the experimental Elixir mix audit Analyze should be used.
	--disablePoetry		Sets whether the experimental Poetry Analyzer should be used.
	--go	<path>	The path to go executable for the Go Mode Analyzer; only necassary if go is not on the path.
	--bundleAudit		The path to the bundle-audit executable.
	--bundleAuditWorkingDirectory	<path>	The path to working directory that the bundle-audit command should be executed from when doing Gem bundle analysis.
	--proxyserver	<server>	The proxy server to use when downloading resources; see the proxy configuration page for more information.
	--proxyport	<port>	The proxy port to use when downloading resources.
	--nonProxyHosts	<list>	The proxy exclusion list: hostnames (or patterns) for which proxy should not be used. Use pipe, comma or colon as list separator. Example: `something.com	*.something.com
-c	--connectiontimeout	<timeout>	The connection timeout (in milliseconds) to use when downloading resources.	10000
	--readtimeout	<timeout>	The read timeout (in milliseconds) to use when downloading resources.	60000
	--proxypass	<pass>	The proxy password to use when downloading resources.
	--proxyuser	<user>	The proxy username to use when downloading resources.
	--connectionString	<connStr>	The connection string to the database. See using a database server.
	--dbDriverName	<driver>	The database driver name.
	--dbDriverPath	<path>	The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path.
	--dbPassword	<password>	The password for connecting to the database.
	--dbUser	<user>	The username used to connect to the database.
-d	--data	<path>	The location of the data directory used to store persistent data. This option should generally not be set.
	--purge		Delete the local copy of the NVD. This is used to force a refresh of the data.