Consider running dependency check as an action rather than integrated in the maven build #262
Comments
|
Agreed. Also, with proper dependabot config and dependency graph feeding, dependency-check is less useful. I've configured dependency-check here more to get a feeling about what it could provide. |
|
In PR #274 I have moved the dependency check to a separate profile that is not enabled by default in the ci builds. |
|
Should we close this one then? Or do you want to create a workflow that will run with this profile separately? |
|
We should add an action to run the dependency check on a regular basis using a schedule and then we can compare the results with dependabot. I see that as experimenting with existing tools to understand their strengths and weaknesses. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The dependency check is rather slow as it downloads all cve everytime it is run.
Consider using an action instead that comes with a pre-build image of cve's so that not all of them have to be downloaded again and again.
The text was updated successfully, but these errors were encountered: