Jeremy Long

remove `--debug`.

https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html You'll notice `--debug` isn't even documented. This is a somewhat hidden parameter because the only people that would use it are the developers of dependency-check.

Via the open-vulnerability-client API: https://github.com/jeremylong/Open-Vulnerability-Project/blob/5988546bfa6c62d7342f2e583ba7e11882e5bdee/open-vulnerability-clients/src/main/java/io/github/jeremylong/openvulnerability/client/nvd/NvdCveClientBuilder.java#L170 Via the vulnz CLI - I don't think I exposed that. We accept PRs.

Which is why the project ships with a gradle wrapper.

When we upgrade the build to use 21 this will get fixed. There is not an issue with using the library under JRE 21 as spotbugs not a runtime dependency.

Yes - OSV can be added to the library. However, I have some work to complete on dependency-check before I can do much more with this project.

I would agree with Steve - in cases like this generating an SBOM using CycloneDX or SPDX is a better option. However, in most cases the software contained in an...

I also wouldn't just stop with Docker. The community could start putting in issues and PRs to the build tools like maven, gradle, build plugins that combine artifacts like uber/shade...

If #80, #81, and #82 are merged - I can submit another PR to output JSON as an option.

what version of `vulnz` are you using? what version of ODC are you using?