This tool is also known to work : https://fossa.com/

Let me chase up with one of my developers - we did this for a large consultancy who had existing subscriptions embedded into the ADO pipelines we built. I will check and get back to you .

@Rohit Sircar MUnit, SonarQube are for testing/code quality - but not for jar and source vulnerability scanning...

We also found this issue, related to the specific POM package for MuleSoft. Quite a few of the tools don't support this. We did however have some success with Fortify on Demand and mend.io WhiteSource.