| ▲ | bpavuk 9 hours ago | |
is there a `govulncheck`-like tool for the JVM ecosystem? I heard Gradle has something like that in its ecosystem. search revealed Sonatype Scan Gradle plugin. how is it? | ||
| ▲ | wpollock 6 hours ago | parent [-] | |
It's been a few years, but for Java I used OWASP: <https://owasp.org/www-project-dependency-check/>, which downloads the NVD (so first run was slow) and scans all dependicies against that. I ran it from maven as part of the build. | ||