Using 1.4.5 version of the plugin.
We are currently using the dependency-check plugin to create a .xlsx file to create an inventory of our maven dependencies and track CVEs for security purposes. The data in the .xlsx file consists of essentially a merge of data from maven dependency:tree and dependency-check:aggregate data. Our POM structure is a master pom with n child poms each of which have m sub-child poms. I noticed in the generated dependency report html that there is no column which indicates which modules the specific JAR is used in (I have that column in my workbook). Is it possible to add that info to the reports as an option to the goal or is this an enhancement request? If this could be added and the depedency report would capture all dependencies from all POMs in our structure, I don't think I'd need this Java client to create the .xlsx file.
I am noticing that the dependency:check and dependency:aggregate is failing when I run it from OS X bash cmd line with 1.4.5 version and there is no specific root cause displayed in the trace. I just ran it for two master pom's (my Java client aggregates the data and writes via Apache POI to xlsx successfully). I'm not sure how consistent/dependable this plugin.
Also, where exactly is the data for the NVD CVE stored on a Mac? I was not able to find documentation or github issue info to answer this. Is it by default an H2 db and if so is it stored on disk or in memory? The skip for last 12 hrs for update seems buggy as I did not run the goal this weekend but it did skip (which is more than 12 hrs).