maven
Safeguard articles tagged "maven" — guides, analysis, and best practices for software supply chain and application security.
20 articles
The Java ecosystem's recurring vulnerability classes: deserialization, XXE, and JNDI injection
Log4Shell scored a 10.0 CVSS and Spring4Shell followed five months later — both traced back to two patterns Java has repeated for a decade.
Generating CycloneDX and SPDX SBOMs from Java Projects with Maven and Gradle
CISA's 2025 draft update proposes four new fields on top of NTIA's minimum elements, from 7 to 11 — most Maven and Gradle-generated SBOMs still fail that bar.
Auditing and pinning transitive Java dependencies with Maven and Gradle
Maven resolves version conflicts by nearest path, not highest version — one new direct dependency can silently reintroduce a patched CVE.
Maven Dependency Security: Pinning, Verification, and Scanning
How to secure a Maven build in 2026 — pin versions, enforce convergence, verify artifacts, and scan the transitive tree that pom.xml never shows you.
Auditing Maven Dependencies with OWASP Dependency-Check
OWASP Dependency-Check is the classic way to scan Java and Maven projects against the NVD. Learn to run it, tame its false positives, and move beyond CPE matching.
Fixing vulnerabilities in Maven projects
Maven vulnerability remediation isn't just running mvn versions:use-latest — here's how to triage, patch, and verify fixes without breaking builds.
Reachability Analysis for Java: A 2026 Deep Dive
Java reachability under classpath reality: reflection, Spring autowiring, shaded JARs, Log4Shell, and what modern tools actually resolve versus over-approximate.
Maven Central Sigstore Migration Status
Maven Central's move from GPG to Sigstore is genuinely underway in 2026. Here is where the transition actually stands and what Java shops should do now.
Maven and Gradle dependency supply chain attacks in the J...
How attackers exploit Maven Central and the Gradle Plugin Portal — dependency confusion, malicious artifacts, and plugin takeovers — and how to defend Java builds.
How Snyk resolves Maven and Gradle dependency graphs incl...
Snyk doesn't parse pom.xml or build.gradle statically -- it invokes real Maven and Gradle tooling to compute the exact dependency graph your build produces.
Java Supply Chain Security Beyond Log4Shell
Log4Shell was the fire drill. The structural problems — unverified Maven resolution, invisible shaded jars, sprawling transitive graphs — are still there. Here's what to actually fix.
Maven Release Plugin Hardening
The Maven Release Plugin is the oldest piece of release automation most Java shops still run. A look at the hardening steps it usually needs.