Hi, all, currently you can run OWASP dependency check plugin against your projects.
Though, this seems to make security more or less optional: unaware either lightheaded teams could miss this. What if a package repository would integrate with this dependency checking and issue a warning, say a special HTTP response code or a header? Then, Maven would raise the warning in the console log, like "this component is known to have CVE-XYZ! consider upgrading" What do you think?