Use Java dependency-check GitHub Action

hyperledger / fabric-gateway

Go, Node and Java client API for Hyperledger Fabric v2.4+

https://hyperledger.github.io/fabric-gateway/

Apache License 2.0

152 stars 89 forks source link

Closed bestbeforetoday closed 3 months ago

bestbeforetoday commented 3 months ago

The Maven dependency-check plugin is tricky to run due to:

Need for NVD API token.
Need to cache vulnerability database to avoid downloading the whole database on every invocation.
Unreliability of the NVD API endpoint.

The action uses a Docker container that includes an up-to-date copy of the vulnerability database so avoids the need to use the NVD API.