Hello,
We created a custom goal we have for a custom Maven mojo which creates an xlsx from the dependency-check-report.xml output, etc. I am going thru a custom xlsx that we create as a result of dependency-check:aggregate execution on our master project.
If we need to determine which minimum version of Apache HTTP server (httpd) or some other dependency/artifact which was analyzed and which was referenced in multiple CVEs from different years and different ranges of version cited in the CVEs as being problematic, how will we best determine which minimum version of that dependency we should use in our project(s) which will resolve all the CVEs in which that dependency is cited? Currently it seems it must be a manual process, correct?