Hey,any objectives against automatic checking of known, publicly disclosed dependency vulnerabilities in the Maven build process (e.g. via a profile).
I was thinking about introducing OWASP dependency checking (see https://www.owasp.org/index.php/OWASP_Dependency_Check) in the TomEE project, so we are aware of security risks introduced by (transient) dependencies.
Any thoughs on this? Best, Richard
