Follow

Replaced OWASP Dependency Check with Sonatype and it worked flawlessly. Sonatype previously allowed for anonymous request for CVE scans but these days, one needs to create an account and create a user token. So basically, pom updates only.

Run mvn verify to scan the project. Ended up with 17 CVE vulnerability findings. Excluded tests related dependencies and the findings went down a few. Upgraded to Spring Boot 3.5.15 removed almost all the CVE vulnerability findings and finally upgraded logback version.The cvss score threshold used is 7.

Made a latest stable release.

Sign in to participate in the conversation
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.