Best practices for configuring Maven to be scanned by CybeDefend, with an emphasis on lockfile-like mechanisms.
If your Java application uses Maven, CybeDefend can detect vulnerabilities in your pom.xml, .jar
, .war
, or .ear
files. However, you’ll get the best results if you explicitly pin or lock dependencies to stable versions.
Pin Versions in pom.xml
Make sure each dependency in <dependencies>
includes a specific version number:
Use a Lockfile-Like Approach
While Maven doesn’t have an official universal lockfile, certain plugins or pinned version strategies replicate the effect.
<dependencyManagement>
in your parent pom to centralize version definitions.versions:lock-snapshots
or versions:use-releases
can help freeze your dependencies.Generate Flattened POM
The Maven Flatten Plugin creates a simplified POM with all versions resolved:
Store pom.xml in Repo
This ensures that the entire team, and CybeDefend, see the exact dependency versions.
Using a lockfile is critical for secure and predictable builds. A lockfile contains a fixed version and a hash for each dependency and sub-dependency in your project.
Lockfiles are never edited manually. They’re generated and updated by your package manager and committed to your repository, ensuring consistent environments for all teammates.
For advanced usage, some teams generate .flattened-pom.xml
or use ephemeral lock plugins. The key is to produce a stable, pinned set of dependencies that CybeDefend can accurately scan.
File Examples |
---|
pom.xml , .jar , .war , .ear , .flattened-pom.xml |
Remember to re-run Maven and commit any updated metadata or flattened POM files if your plugin of choice modifies them.
Once your Maven project is ready, create a new project in CybeDefend referencing this codebase. SCA scanning will detect vulnerabilities in pinned dependencies more accurately.