Hi Duo,
Generally, I think that this is a good idea. I have previously attempted to
use the Jenkins OWASP stuff and found it was a non-trivial project to
manage exclusions lists. We ended up abandoning the effort for lack of
value-for-time reward. I think it's more important that we manage this
https://jeremylong.github.io/DependencyCheck/dependency-check-maven/
The plugin will download the NVD database and use it to detect CVEs in
our dependencies.
I think we could make this part of the release process, and also add
the check to nightly build and pre commit check.
Thoughts? Thanks.
