https://jeremylong.github.io/DependencyCheck/dependency-check-maven/
The plugin will download the NVD database and use it to detect CVEs in our dependencies. I think we could make this part of the release process, and also add the check to nightly build and pre commit check. Thoughts? Thanks.