Which version of owasp-dependency-check is run by this NPM module

[Muzietto]

When I run my NPM task that invokes this module, I cannot see anywhere in the logs which version of owasp-dependency-check is being run.

Can I assume that the version choice is made by the NPM module at runtime and that the most recent version is used?

I have verified that sometimes the run takes considerably longer. I suppose that new software is being downloaded (from where precisely?), but I haven't been able to understand whether new executables or new vulnerabilities config files are being retrieved.

If documentation is available about this topics, I'd like to know where it is.

[centi]

Your assumption is correct. If there is no binary for the dependency check available localy, the most recent will be downloaded from this feed: https://api.github.com/repos/jeremylong/DependencyCheck/releases/latest and an information about the download start should be printed in the log: owasp-dependency-check: Downloading the dependency-check executables ....

If there already is a binary present, the log will contain owasp-dependency-check: Found local instalation (OWASP_BIN), using it..

But you are right, there is no information about the specific version which will be used right now. I'll look into it.

[centi]

Anyway, after you see the message owasp-dependency-check: Running the dependency check ... in the log, following a command, the Dependency-Check Core now takes control. After this moment, this NPM package does nothing.

If the check itself takes a lot of time after this moment, it is most likely an issue in the Core itself. You could use the command listed in the log and report an issue to the Core project.

[centi]

But to be sure, you can copy the command from the log and run it yourself from your command line and see if it still takes too long.

[centi]

I added some better logging. Give it a try in version 0.0.19.