I took the liberty to sync QA tools among Ant, Ivy and IvyDE. A couple of notes: Ant 1.10 having a Java 8 baseline permits migration from FindBugs to SpotBugs; I decided to it now rather than wait for dependency issues [1] to be resolved. Then I was surprised that Dependency Check indicates that the latest XZ 1.8 has a vulnerability: should we ask them to investigate?
Gintas [1] https://github.com/spotbugs/spotbugs/issues/655 P.S. Here's the complete Dependency Check report: [owasp:dependency-check] bsh-core-2.0b4.jar (org.beanshell:bsh-core:2.0b4, cpe:/a:beanshell_project:beanshell:2.0.b4) : CVE-2016-2510 [owasp:dependency-check] jruby-1.6.8.jar (cpe:/a:jruby:jruby:1.6.8, org.jruby:jruby:1.6.8) : CVE-2012-5370 [owasp:dependency-check] jython-2.7.0.jar (org.python:jython:2.7.0, cpe:/a:jython_project:jython:2.7.0) : CVE-2016-4000 [owasp:dependency-check] xz-1.8.jar (cpe:/a:tukaani:xz:1.8, org.tukaani:xz:1.8) : CVE-2015-4035 [owasp:dependency-check] jruby-1.6.8.jar/META-INF/maven/org.jruby.ext.posix/jnr-posix/pom.xml (org.jruby.ext.posix:jnr-posix:1.1.9, cpe:/a:jruby:jruby:1.1.9) : CVE-2010-1330, CVE-2011-4838, CVE-2012-5370