Jeremy Long

CycloneDX plugins maybe viable. You can then setup dependency-track to monitor the SBOMs.

Another option might be to configure the front-end plugin's installation directory: https://github.com/eirslett/frontend-maven-plugin?tab=readme-ov-file#installation-directory Then also configure these to be on the path so that node and yarn.

[dependency-track](https://dependencytrack.org/) platform

This is related to https://github.com/jeremylong/DependencyCheck/issues/5432

does the frontend maven plugin specify the path to node via an ENV variable or config option for yarn?

One thing you may find with tools like trivy is that some JAR files may not be correctly identified. Problematic JARs would be shaded/uber/one JAR files and possibly those built...

If you ran your build with `-X` does it output the full yarn command used during the build? I haven't had time to dig into the maven-frontend-plugin - I may...

I had an idea about how I *might* be able to make ODC work with this. I'm going to have to do some testing on https://github.com/eclipse-leshan/leshan/commit/c611bcfa852e330af13a3cc27bbb14b83fde253e

What version of react native is being used?

Upgrading is a breaking change. I'd rather hold off a bit. If the concern is the CVE; see https://github.com/jeremylong/DependencyCheck/security/dependabot/833 The CLI is not used in the dependency-check project.