[ https://issues.apache.org/jira/browse/JENA-2223?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17479202#comment-17479202 ]
Andy Seaborne commented on JENA-2223: ------------------------------------- Having tried this, and other tools out, the dependabot security seems to cover everything ossindex-maven-plugin does (it is possible they get their raw data from the same root source). > Add ossindex-maven-plugin to the build. > --------------------------------------- > > Key: JENA-2223 > URL: https://issues.apache.org/jira/browse/JENA-2223 > Project: Apache Jena > Issue Type: Task > Components: Build > Affects Versions: Jena 4.3.2 > Reporter: Andy Seaborne > Priority: Minor > > https://sonatype.github.io/ossindex-maven/maven-plugin/ > We might add this to the build or to a profile. > The downside is that there is already a lot of build output. Too much output > means it is very easy to miss warnings so adding this (there are 47 modules) > might hide warnings from other plugins. This plugin can be set to fail the > build. > {{mvn -q}} hides all but errors and maybe hides nested build information used > by the release which comes out as {{[INFO] [WARNING]...}} > Dependencies change infrequently. This could be setup in a profile and have a > special Jenkins job. > It can be run manually: > {{mvn org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -fn -f pom.xml}} -- This message was sent by Atlassian Jira (v8.20.1#820001)