Henrik Plate

For every CSV entry with a valid URL in field `Source` and specific versions in field `Affected Version` (thus, no empty fields or `*`), a statement shall be generated as...

Wouldn't it be possible to just keep the timestamp of the last run of kaybee (instead of the last reconciliation of a given vulnerability)?

I thought you could force the merge for single vulnerabilities by sth. like `kaybee merge CVE-0123-4567 --force`, thereby ignoring the `last_kaybee_run` timestamp. Anyways, together with timestamp(s) you should also remember...

Regarding sources: This means you need to have the result of the last merge in order to know the source(s) it originated from? If yes, you could take the timestamp...

AFAIK, you already produce a merge log. And considering sets of previously considered statements also, intuitively, covers the case of added/removed sources. All-in-all, I think it makes sense to proceed...

We only show the call path to vulnerable methods in the frontend, we do not include this detailed information in the report. You can obtain it programmatically by calling this...

Hello @axidex - There's no need to use the CLI if you do have a POM file. In that case, I really recommend using Steady's Maven plugin, which will pick...

Since you said you ran `mvn package`, which includes compiling project sources, I thought this would be a possibility. Were you able to run the app goal beforehand, which is...

Thanks for sharing the test project. Note that it was easily possible to use the Maven plugin: I just cloned the repo, compiled the classes in `src` and ran the...

I debugged into it and do not think they are problematic. The first occurs in a method trying to find the URL of the JAR from which a class was...