Maven is the backbone of Java build infrastructure. Millions of Java projects depend on Maven for compilation, testing, packaging, and deployment. At the center of Maven architecture are plugins -- executable components that perform each build phase.
When you run mvn package, Maven downloads and executes compiler plugins, test plugins, packaging plugins, and any custom plugins in your configuration. Each plugin is a JAR file that runs with the full privileges of the JVM process. If any plugin is malicious or compromised, your entire build is compromised.
The Maven Plugin Trust Model
Maven Central, the default repository, requires PGP signatures on all published artifacts. In theory, this means every plugin you download has been signed by its publisher, and you can verify that signature to confirm authenticity.
In practice, almost nobody verifies PGP signatures on Maven artifacts. Maven does not verify signatures by default. The maven-gpg-plugin is for signing your own artifacts, not for verifying downloaded ones. Most developers have never checked a signature on a Maven dependency.
This means the security of your Maven build depends entirely on Maven Central not being compromised, your network not being tampered with, and your local repository cache not being modified. Each of these is an assumption, not a guarantee.
Verification Methods
Checksum Verification
Maven publishes SHA-1 and MD5 checksums alongside every artifact. Maven verifies these checksums by default when downloading. This protects against download corruption and naive tampering, but not against a compromised repository that updates checksums alongside malicious artifacts.
Starting with Maven 3.8.1, checksum verification is stricter, and SHA-256 and SHA-512 checksums are supported.
PGP Signature Verification
The pgpverify-maven-plugin can verify PGP signatures on dependencies during the build. This is the strongest verification method available in the Maven ecosystem.
<plugin>
<groupId>org.simplify4u.plugins</groupId>
<artifactId>pgpverify-maven-plugin</artifactId>
<version>1.18.2</version>
<executions>
<execution>
<goals><goal>check</goal></goals>
</execution>
</executions>
</plugin>
The challenge is key management. You need to decide which PGP keys to trust, handle key rotation, and deal with artifacts that are not signed or signed with unknown keys.
Repository Manager Verification
Enterprise repository managers like Sonatype Nexus and JFrog Artifactory act as proxy caches for Maven Central. They can enforce policies like: only approved artifacts, specific versions only, or artifacts that pass vulnerability scanning.
This is the most practical approach for organizations. Rather than verifying individual artifact signatures, you control the entire artifact supply through a managed proxy that enforces your security requirements.
Dependency Lock Files
Maven does not have native lockfile support like npm or Go, but the maven-enforcer-plugin can enforce exact dependency versions and reject unexpected transitive dependencies.
The versions-maven-plugin can generate a dependency report that you can compare across builds to detect unexpected changes.
Plugin-Specific Risks
Maven plugins have capabilities beyond regular dependencies:
Build lifecycle integration. Plugins bind to build phases and execute automatically. A malicious plugin bound to the validate phase runs before any of your code is compiled, giving it first access to the build environment.
Mojo execution. Plugin goals (Mojos) are Java classes that execute with full JVM access. They can read environment variables, make network connections, modify files, and execute system commands.
Configuration injection. Some plugins accept configuration through system properties or environment variables. If these can be influenced by an attacker (through CI/CD variable injection, for example), the plugin behavior can be modified.
Practical Recommendations
Pin all plugin versions. Never rely on Maven default plugin versions (which can change between Maven releases). Explicitly declare every plugin with an exact version in your POM.
Use a repository manager. Route all Maven downloads through a managed proxy that caches approved artifacts. This provides a control point for security scanning and version management.
Audit plugin list annually. Review the plugins in your POM and remove any that are unused or unmaintained. Check each plugin maintenance status and known vulnerabilities.
Enable strict checksum verification. Configure Maven to fail on checksum mismatches with -C flag or <checksumPolicy>fail</checksumPolicy> in your settings.
Consider PGP verification. For high-security environments, the pgpverify-maven-plugin adds a meaningful layer of artifact integrity verification.
How Safeguard.sh Helps
Safeguard.sh provides comprehensive Maven dependency and plugin monitoring. Our platform tracks vulnerabilities in both your application dependencies and build plugins, detects unexpected version changes, and generates SBOMs that include your build toolchain. When a Maven plugin is compromised or found to have vulnerabilities, Safeguard.sh alerts you before it affects your next build.