Safeguard
Tag

maven

Safeguard articles tagged "maven" — guides, analysis, and best practices for software supply chain and application security.

20 articles

Open Source Security

The Java ecosystem's recurring vulnerability classes: deserialization, XXE, and JNDI injection

Log4Shell scored a 10.0 CVSS and Spring4Shell followed five months later — both traced back to two patterns Java has repeated for a decade.

Jul 14, 20266 min read
Supply Chain Security

Generating CycloneDX and SPDX SBOMs from Java Projects with Maven and Gradle

CISA's 2025 draft update proposes four new fields on top of NTIA's minimum elements, from 7 to 11 — most Maven and Gradle-generated SBOMs still fail that bar.

Jul 12, 20266 min read
Best Practices

Auditing and pinning transitive Java dependencies with Maven and Gradle

Maven resolves version conflicts by nearest path, not highest version — one new direct dependency can silently reintroduce a patched CVE.

Jul 10, 20266 min read
Security Guides

Maven Dependency Security: Pinning, Verification, and Scanning

How to secure a Maven build in 2026 — pin versions, enforce convergence, verify artifacts, and scan the transitive tree that pom.xml never shows you.

Jul 3, 20265 min read
Security Guides

Auditing Maven Dependencies with OWASP Dependency-Check

OWASP Dependency-Check is the classic way to scan Java and Maven projects against the NVD. Learn to run it, tame its false positives, and move beyond CPE matching.

Jul 2, 20266 min read
Application Security

Fixing vulnerabilities in Maven projects

Maven vulnerability remediation isn't just running mvn versions:use-latest — here's how to triage, patch, and verify fixes without breaking builds.

May 22, 20266 min read
Application Security

Reachability Analysis for Java: A 2026 Deep Dive

Java reachability under classpath reality: reflection, Spring autowiring, shaded JARs, Log4Shell, and what modern tools actually resolve versus over-approximate.

Mar 4, 20266 min read
Open Source Security

Maven Central Sigstore Migration Status

Maven Central's move from GPG to Sigstore is genuinely underway in 2026. Here is where the transition actually stands and what Java shops should do now.

Feb 12, 20267 min read
Open Source Security

Maven and Gradle dependency supply chain attacks in the J...

How attackers exploit Maven Central and the Gradle Plugin Portal — dependency confusion, malicious artifacts, and plugin takeovers — and how to defend Java builds.

Jan 22, 20267 min read
Open Source Security

How Snyk resolves Maven and Gradle dependency graphs incl...

Snyk doesn't parse pom.xml or build.gradle statically -- it invokes real Maven and Gradle tooling to compute the exact dependency graph your build produces.

Aug 30, 20257 min read
Engineering

Java Supply Chain Security Beyond Log4Shell

Log4Shell was the fire drill. The structural problems — unverified Maven resolution, invisible shaded jars, sprawling transitive graphs — are still there. Here's what to actually fix.

Aug 21, 20256 min read
DevSecOps

Maven Release Plugin Hardening

The Maven Release Plugin is the oldest piece of release automation most Java shops still run. A look at the hardening steps it usually needs.

Oct 22, 20246 min read
maven — Safeguard Blog