cies
commented
1 week ago When we at RePlay upload to OSSHR (Maven Central) we get a vulnerability scan on the dependencies by SonaType for free by email (with a link to see the details). I think this is based on the JAR, not on the dependency specification; you could ask the Play1 devs if they also get this report and if they can publish it or share it with you.
Since the RePlay project uses Gradle, instead of the "ivy2-situation" Play1 has, we can also do dependency vulnerability scans based on that.
In order to ensure the framework is using libraries that do not contain vulnerabilities, it would help to have the framework scanned automatically.
Due to the non-standard nature of dependency handling in Play 1 this is more difficult, however I have found that its possible with Snyk using their "scan unmanaged jar" feature: https://docs.snyk.io/snyk-cli/test-for-vulnerabilities/scan-all-unmanaged-jar-files