The OWASP Dependency-Check Maven plugin scan the project dependencies.

Does it also scan the Maven plugins that are used to build the project itself?

For example: If the project uses the Maven Checkstyle plugin, and it would become compromised, with a CVE reported for it, would OWASP Dependency-Check report that?

Notes

• I browsed throw Maven central looking for Maven plugins with reported vulnerabilities but I couldn't find any. So I haven't been able to test this myself.

• The reason I'm asking is that when you run a build with Maven plugin you are at that plugin's mercy. It could do anything it wants to on your computer. In the recent time there has been a number of supply-chain attacks that have used NPM and PIP. Maven seems to be a bit safer because it doesn't have anything like pre-install hooks that can run code. But if a Maven plugin gets compromised it can totally own you.

• By mistake I previously posted this as seeking "advice" instead of a normal question. It seems like it's not possible to convert the post to a normal question. I have instead delete the old post and repost it as a question.