I accidentally had added
<groupId>pl.project13.maven</groupId>
<artifactId>git-commit-id-plugin</artifactId>
<version>4.0.4</version>
to the section of my POM
I also had it correctly in the build plugins section.
Scanning with dependency check maven plugin showed some vulnerabilities for plexus 2.0.4 which was shown as dependency of git-commit-id-plugin when executing mvn dependency:tree
When I removed the dependency git-commit-id-plugin from the regular dependencies block, the finding in dependency check had gone away.
Is there a way I can include all dependencies from the POM in the dependency check? Even during build and packaging time I think it's important to not have any vulnerable code included in the project
I accidentally had added
to the section of my POM
I also had it correctly in the build plugins section.
Scanning with dependency check maven plugin showed some vulnerabilities for plexus 2.0.4 which was shown as dependency of git-commit-id-plugin when executing mvn dependency:tree
When I removed the dependency git-commit-id-plugin from the regular dependencies block, the finding in dependency check had gone away.
Is there a way I can include all dependencies from the POM in the dependency check? Even during build and packaging time I think it's important to not have any vulnerable code included in the project