Announcing Transitive Dependency Support for Maven pom.xml in OSV-Scanner

Posted by Xueqin Cui on Jun 20, 2024

We are excited to announce that OSV-Scanner now supports transitive dependency scanning for Maven pom.xml.

This highly requested feature empowers you to detect vulnerabilities in both your direct and indirect dependencies in the Maven ecosystem, giving you a complete picture of your Maven-based project’s known vulnerable dependencies. With this feature, OSV-Scanner fixes one out of two ecosystems/formats when it comes to transitive scanning capabilities.

How does it work?

OSV-Scanner first uses deps.dev’s Maven parser library to generate an effective POM which includes project inheritance, importing managed dependencies and project interpolation. This may involve fetching Maven projects from Maven Central repository.

OSV-Scanner then invokes deps.dev’s resolver library to compute a dependency graph for the processed project. This graph includes all the direct and transitive dependencies of your project. Maven requirements are provided by the deps.dev API.

After the dependency resolution, OSV-Scanner queries the OSV.dev database for vulnerabilities associated with these dependencies.

Using transitive dependency support

This feature is enabled by default in OSV-Scanner when you scan a pom.xml file or a directory of your Maven project.

osv-scanner -r path/to/your/directory

osv-scanner -L path/to/your/pom.xml

osv-scanner -L pom.xml:path/to/your/file

For example, a project only declares the following direct dependency in pom.xml, but vulnerabilities of the transitive dependencies are also reported by OSV-Scanner.

<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-web</artifactId>
    <version>2.14.1</version>
</dependency>

Vulnerabilities reported scanning transitive dependencies in Maven pom.xml

Transitive dependency support is disabled in the experimental offline mode.

See our detailed documentation for more usage information on transitive dependency scanning.

Try it today!

Transitive dependency support for Maven is available in OSV-Scanner version 1.8.1. This feature can help you to improve the security of your Maven projects so give it a try, and we would love your feedback.