I noticed that the wss4J build mainly uses the OWASP dependency-check-plugin for generating a report, but those are easy to forget to review. Similar to the PMD and Checkstyle enforcement would it be useful to add a maven profile to fail the build if there is a CVE/CVSS score above a certain level ?
This could be enforced just for releases, snapshots or both. I'll be happy to prepare PR. -Rob