I understand that there is a way to identify libraries have CVEs associated with them (the OWASP calls) but I am looking for a way to automatically generate a report that identifies libraries that are candidates for upgrading because the maintainers no longer provide security updates or bugfixes (essentially, they've been deprecated). I am aware of maven's display-dependency-updates, which provides a list of libraries that have upgrade candidates, but I can't find a similar tool or process that can generate a report for deprecated libraries. I thought Nexus or Artifactory could do this, but it appears they cannot (unless I missed something).
Asked
Active
Viewed 376 times
0
-
This is discussed already in another [post](https://stackoverflow.com/questions/19998558/how-to-deprecate-a-library-in-eclipse-maven-nexus]). There is currently no way to deprecate a whole maven library, even if there was a bug that was discovered post release and the author wants to invalidate that version. – Yonatan Wilkof Feb 25 '20 at 13:38
-
If you would deprecate a version of a library you could break a lot of other builds...apart from that this information can't be added to central repository... – khmarbaise Feb 25 '20 at 13:50