Jeremy Long

Check out https://jeremylong.github.io/DependencyCheck/general/internals.html

There are likely other errors above what you've posted that explain what went wrong. My guess is that the NVD data was unable to be downloaded. Here are the two...

As I said before "There are likely other errors above what you've posted that explain what went wrong. ". You may need to add `--log odc.log` to the command executed.

I know nothing about the sonar integration. But I'm assuming you need to add `--format XML --format HTML`

Sorry for the delay - if you want to give this a try please do! We love PRs.

While the PR may have some merit. The intent of this was to complete something like this: https://github.com/jeremylong/DependencyCheck/compare/scratch/add-source Where we would need to call `dependency. addSourceReferences(source)` everywhere a new dependency...

if we have a JAR file that was included because of the pom - we should put the pom in the sourceReference. While it would be great if we could...

Do you have a sample project?

I'm pretty sure 7.x will still work. However, you may need to explicitly force a few dependencies in your build script. See https://github.com/jeremylong/DependencyCheck/issues/6192#issuecomment-1851791932

This is not documented yet - I have not had time. Once I'm able to fully test this I was going to update the documentation.