The plugin doesn't look at the jar files or the source code, it only
looks at the pom files and specifically the dependencies. It checks
the GAV (GroupId, ArtifactId and Version) to see if you have any
matches against the known vulnerabilities databases.
So as long as security researches are checking Kotlin Projects and
putting those GAV's into the vulnerability database, you'll be
covered.
You might get false negatives results if someone changes a Java
Project into a Kotlin 'version', either by wrapping it or re-writing
it, and then breaking the GAV dependency change or giving it a new
GAV.
Hope that helps...
John
> --
> You received this message because you are subscribed to the Google Groups "Dependency Check" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
dependency-che...@googlegroups.com.
> To view this discussion on the web visit
https://groups.google.com/d/msgid/dependency-check/0880466a-c52f-4fce-981a-1b9677b004f2n%40googlegroups.com.