The normal OWASP Dependency Check Maven plug-in makes a good job of scanning the current version of a project for vulnerabilities in its dependencies.
But how about vulnerabilities that are reported for the dependencies of old versions of the project?
All guides to OWASP Dependency Check I have seen describe how to set it up to check only the current version of a project.
I believe that to be avoid vulnerabilities all versions of a project that are still in use should be checked regularly, both current and old. The check should also run periodically, not just when a build is performed.
What is the best way to use OWASP Dependency Check to do this?
One way would be to check all artifacts that are deployed to a certain Maven repository. Is there any good ways to do that?
I assume that you have a tag or branch in your source repository for each old version of the software, so you have to checkout this tag/branch in your workspace before running the dependency check. This operation can be automated by some continuos integration tool like Jenkins.