USACE · ktarbet · May 29, 2026
diff --git a/README.md b/README.md
@@ -83,6 +83,17 @@ To build the war:
 
 This will compile the jar and run the basic unit tests.
 
+To run the OWASP dependency vulnerability scan:
+
+     ./gradlew dependencyCheckAggregate
+
+For faster scans, add a free [NVD API key](https://nvd.nist.gov/developers/request-an-api-key) to your
+user gradle properties file (`~/.gradle/gradle.properties`):
+
+     nvdApiKey=<your-key>
+
+The report is written to `build/reports/dependency-check-report.html`.
+
 ## Development stack
 
 See the docker-compose.README.md for instructions using the docker-compose environment

diff --git a/buildSrc/src/main/groovy/cda.deps-conventions.gradle b/buildSrc/src/main/groovy/cda.deps-conventions.gradle
@@ -19,4 +19,13 @@ repositories {
 
 configurations.all {
     exclude group: "org.python", module: "jython-standalone"
+
+    resolutionStrategy {
+        // javalin 4.6.8 pulls in the vulnerable kotlin-stdlib 1.5.32 
+        // Force a patched version; javalin can't be bumped past 4.x while we target Java 11.
+        force "org.jetbrains.kotlin:kotlin-stdlib:1.9.25"
+        force "org.jetbrains.kotlin:kotlin-stdlib-common:1.9.25"
+        force "org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.9.25"
+        force "org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.9.25"
+    }
 }
diff --git a/buildSrc/src/main/groovy/cda.java-conventions.gradle b/buildSrc/src/main/groovy/cda.java-conventions.gradle
@@ -26,7 +26,7 @@ test {
 }
 
 checkstyle {
-    toolVersion = '9.3'
+    toolVersion = '10.26.1'
 }
 
 dependencyCheck {