René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Improve detection of CVE-affected components","articleBody":"As discussed in [this Zulip thread](https://imagesc.zulipchat.com/#narrow/channel/327237-SciJava/topic/Security.20and.20CVEs.20in.20Old.20Native.20Libraries/with/535708343), we can do more to check for CVEs impacting dependencies in SciJava-based projects:\n1. Any build extending pom-scijava-base (either directly or indirectly via pom-scijava) should have an easily accessible build mode (goal, profile, whatever) for running the `dependency-check-maven-plugin` from `org.owasp` to check its dependency tree for security issues.\n2. Any BOM extend pom-scijava-base (notably pom-scijava, but not necessarily limited to that) should be able to invoke the `dependency-check-maven-plugin` as well on all managed components, not just active dependencies.\n3. Trickier are managed JAR components that wrap native code. It might be limitedly possible to catch them with the `dependency-check-maven-plugin` by ensuring all the scanning modes are enabled:\n    ```xml\n    \u003cconfiguration\u003e\n        \u003cassemblyAnalyzerEnabled\u003etrue\u003c/assemblyAnalyzerEnabled\u003e\n        \u003carchiveAnalyzerEnabled\u003etrue\u003c/archiveAnalyzerEnabled\u003e\n        \u003cjarAnalyzerEnabled\u003etrue\u003c/jarAnalyzerEnabled\u003e\n    \u003c/configuration\u003e\n    ```\n    but it's imperfect at best.\n\nWe do already use Dependabot on GitHub with both pom-scijava-base and pom-scijava, but it has not reported much of anything in recent years, so I wonder how effective those scans actually are.","author":{"url":"https://github.com/ctrueden","@type":"Person","name":"ctrueden"},"datePublished":"2025-08-22T15:59:11.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/38/pom-scijava-base/issues/38"}