THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
OWASP Dependency Check is a tool for checking the Java libraries you use have no security issues. I currently use the 1.3.6 version.
Once the CVEs references are up to date, it takes 2+ minutes on my machine to check the dependencies (2016/04/15).
Since it often reports false positives or issues not really needing attention, you need to maintain a suppression file.
First I must say, it's a very tedious work to use OWASP Dependency Check to identify and possibly fix dependencies vulnerabilities. Not only there are many false positives or issues not really needing our attention, but some issues are also hidding others. So you need to check issues one by one and put the possible suppress information in the suppression file and run again the check, etc. Unfortunately it's the best solution we have so far. Because it's not enough to blindly update libraries we use by using the last version.
...
>dependency-check -project OFBiz -scan C:\projectsASF\ofbiz --suppression C:\projectsASF\ofbiz\tools\security\dependency-check\suppress.xml --out C:\projectsASF\ofbiz\tools\security\dependency-check\
You can remove the "--suppression C:\tools\dependency-check\suppress.xml" part if you want to see the initial state
...