There are free or low-cost tools from Black Duck and Sonatype which are scanners that examine the specific versions of OSS components in a system and which report on their known security vulnerabilities.

E.g., http://www.businesswire.com/news/home/20150618005073/en/Black-Duck-Releases-Free-Vulnerability-Plugin-Open#.VYP9u_lViko

(Perhaps atlassian - which is the tool set - mostly - at ncsa.illinois.edu, also has one of these?)

We should look into adding one of these to our build process. It goes hand in hand with the tool we use to gather up and generate the license pages, and given the kinds of applications in network security that people discuss using DFDL for, this would be a value-add.