[mnd999]

No, we’re not gonna buy your shitty SAAS just to parse some .pom files.

If we’re feeling particularly lazy we might even just do mvn dependency:tree

[mrweasel]

If you’re me, doing operations for X number of clients, having a tool that would have allowed me to know which clients use which version of log4j would have saved me hours yesterday. I don’t know exactly what library random developer at each customer use, nor do I have access to their code. It would have been nice to be able to easily look up which few clients I need to call.

[dogma1138]

You don’t need to buy anything just use CycloneDX and OWASP Dependency Track https://news.ycombinator.com/item?id=29542271