Hate those e-mails “are you using some_vulnerable.JAR or some.vulnerable.class” on a project you or nobody has touched in years then your eyes dry over looking at the dependency hierarchy of an old project?
Well, hate no more! Understanding that not all JARs are created equally is the first step in realizing there is consternation. The only constant is change in Open Source and keeping up with versions, CVEs, industry trends, etc could be a burden especially as team members move on. So many dependencies in a modern JAVA project one would need a warehouse to store all these parts [*cough* your artifact repository].
Having supply chain discipline when consuming Open Source can help answer the “where” and “what” an enterprise has deployed. Applying supply chain principles and data beyond your CMDB would have insight to. Makes Dev & Ops happy driving Open Source adoption and visibility.
Also, will be providing an update from last year’s AJUG talk on State of Open Source Software Supply Chain.