[
https://issues.apache.org/jira/browse/JENA-2223?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17479202#comment-17479202
]
Andy Seaborne commented on JENA-2223:
-------------------------------------
Having tried this, and other tools out, the dependabot security seems to cover
everything ossindex-maven-plugin does (it is possible they get their raw data
from the same root source).
> Add ossindex-maven-plugin to the build.
> ---------------------------------------
>
> Key: JENA-2223
> URL: https://issues.apache.org/jira/browse/JENA-2223
> Project: Apache Jena
> Issue Type: Task
> Components: Build
> Affects Versions: Jena 4.3.2
> Reporter: Andy Seaborne
> Priority: Minor
>
> https://sonatype.github.io/ossindex-maven/maven-plugin/
> We might add this to the build or to a profile.
> The downside is that there is already a lot of build output. Too much output
> means it is very easy to miss warnings so adding this (there are 47 modules)
> might hide warnings from other plugins. This plugin can be set to fail the
> build.
> {{mvn -q}} hides all but errors and maybe hides nested build information used
> by the release which comes out as {{[INFO] [WARNING]...}}
> Dependencies change infrequently. This could be setup in a profile and have a
> special Jenkins job.
> It can be run manually:
> {{mvn org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -fn -f pom.xml}}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
