Hi,
I am Nasif, a PhD student at NC State University. My research involves software security which has brought me here. I am currently researching the risk of using vulnerable dependency and how to effectively measure that risk so that we can prioritize their updates (given that updates are not cost free). With that objective, I am currently testing out different vulnerable dependency detection tools and compare their outputs. For that, I have chosen OpenMRS as my case study.
I’d love to hear from the project maintainers on how they handle the third-party dependencies and if they monitor the known vulnerabilities in them. If yes, then how they assess the risk? If no, then why? Any input would help me better in understanding the process.