As discussed on the mailing list
any objectives against automatic checking of known, publicly disclosed
dependency vulnerabilities in the Maven build process (e.g. via a profile).
I was thinking about introducing OWASP dependency checking (see
https://www.owasp.org/index.php/OWASP_Dependency_Check) in the TomEE
project, so we are aware of security risks introduced by (transient)
Any thoughs on this?