Open netomi opened 10 months ago
Agreed. Also, with proper dependabot config and dependency graph feeding, dependency-check is less useful. I've configured dependency-check here more to get a feeling about what it could provide.
In PR #274 I have moved the dependency check to a separate profile that is not enabled by default in the ci builds.
Should we close this one then? Or do you want to create a workflow that will run with this profile separately?
We should add an action to run the dependency check on a regular basis using a schedule and then we can compare the results with dependabot. I see that as experimenting with existing tools to understand their strengths and weaknesses.
The dependency check is rather slow as it downloads all cve everytime it is run.
Consider using an action instead that comes with a pre-build image of cve's so that not all of them have to be downloaded again and again.