We use a periodic OWASP Dependency-Check job to scan our Java applications.

It would be useful to also use OWASP Dependency-Check to scan other tools that are used in our system, but that are not formally dependencies of anything. This includes Java runtime installations and a database system.

Is there any way to make OWASP Dependency-Check scan those specified products?

For example, this is the CPE for the JDK version: cpe:2.3:a:eclipse:temurin:21.0.9

Can I give this as parameter to Dependency-Check to check in some way?

Or can I maybe create a dummy artifact in some way that makes it check that product?

Or maybe call the code in the scanner JAR file directly in some way?