We are excited to announce that OSV-Scanner now supports transitive dependency scanning for Maven pom.xml.
This highly requested feature empowers you to detect vulnerabilities in both your direct and indirect dependencies in the Maven ecosystem, giving you a complete picture of your Maven-based project’s known vulnerable dependencies. With this feature, OSV-Scanner fixes one out of two ecosystems/formats when it comes to transitive scanning capabilities.
How does it work?
OSV-Scanner first uses deps.dev’s Maven parser library to generate an effective POM which includes project inheritance, importing managed dependencies and project interpolation. This may involve fetching Maven projects from Maven Central repository.
OSV-Scanner then invokes deps.dev’s resolver library to compute a dependency graph for the processed project. This graph includes all the direct and transitive dependencies of your project. Maven requirements are provided by the deps.dev API.
After the dependency resolution, OSV-Scanner queries the OSV.dev database for vulnerabilities associated with these dependencies.
Using transitive dependency support
This feature is enabled by default in OSV-Scanner when you scan a pom.xml
file or a directory of your Maven project.
osv-scanner -r path/to/your/directory
osv-scanner -L path/to/your/pom.xml
osv-scanner -L pom.xml:path/to/your/file
For example, a project only declares the following direct dependency in pom.xml, but vulnerabilities of the transitive dependencies are also reported by OSV-Scanner.
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-web</artifactId>
<version>2.14.1</version>
</dependency>
Transitive dependency support is disabled in the experimental offline mode.
See our detailed documentation for more usage information on transitive dependency scanning.
Try it today!
Transitive dependency support for Maven is available in OSV-Scanner version 1.8.1. This feature can help you to improve the security of your Maven projects so give it a try, and we would love your feedback.