If your Java application uses Maven, CybeDefend can detect vulnerabilities in your pom.xml, .jar, .war, or .ear files. However, you’ll get the best results if you explicitly pin or lock dependencies to stable versions.

  1. Pin Versions in pom.xml
    Make sure each dependency in <dependencies> includes a specific version number:

    <dependency>
  <groupId>org.example</groupId>
  <artifactId>example-library</artifactId>
  <version>1.2.3</version> <!-- Use exact version, not ranges -->
</dependency>

  2. Use a Lockfile-Like Approach
    While Maven doesn’t have an official universal lockfile, certain plugins or pinned version strategies replicate the effect.

    • Dependency Management: Use <dependencyManagement> in your parent pom to centralize version definitions.
    • Versions Maven Plugin: Tools like versions:lock-snapshots or versions:use-releases can help freeze your dependencies.
    • Maven Enforcer: Consider using the enforcer plugin to ban dependency version ranges.

  3. Generate Flattened POM
    The Maven Flatten Plugin creates a simplified POM with all versions resolved:

    <plugin>
  <groupId>org.codehaus.mojo</groupId>
  <artifactId>flatten-maven-plugin</artifactId>
  <version>1.3.0</version>
  <configuration>
    <flattenMode>resolveCiFriendliesOnly</flattenMode>
  </configuration>
  <executions>
    <execution>
      <goals>
        <goal>flatten</goal>
      </goals>
    </execution>
  </executions>
</plugin>

  4. Store pom.xml in Repo
    This ensures that the entire team, and CybeDefend, see the exact dependency versions.

Why You Should Use Lockfiles

Using a lockfile is critical for secure and predictable builds. A lockfile contains a fixed version and a hash for each dependency and sub-dependency in your project.

  1. Supply Chain Protection
    Lockfiles prevent malicious package injections. This is crucial as supply chain attacks are rising.
  2. Predictable Builds
    Everyone uses the exact same package versions, avoiding “it works on my machine” inconsistencies.
  3. Performance Gains
    With dependency versions locked, build tools skip the usual resolution step, making builds faster.

Lockfiles are never edited manually. They’re generated and updated by your package manager and committed to your repository, ensuring consistent environments for all teammates.

For advanced usage, some teams generate .flattened-pom.xml or use ephemeral lock plugins. The key is to produce a stable, pinned set of dependencies that CybeDefend can accurately scan.

Supported Files for Java/Maven

File Examples
pom.xml, .jar, .war, .ear, .flattened-pom.xml

Remember to re-run Maven and commit any updated metadata or flattened POM files if your plugin of choice modifies them.

Once your Maven project is ready, create a new project in CybeDefend referencing this codebase. SCA scanning will detect vulnerabilities in pinned dependencies more accurately.