Java
Java package analysis and vulnerability scanning capabilities
Package analysis
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
graalvm-native-image-cataloger application/x-executable, application/x-mach-binary, application/x-elf, application/x-sharedlib, application/vnd.microsoft.portable-executable (mimetype) |
transitive | complete | runtime, dev | ||||
java-archive-cataloger *.jar, *.war, *.ear, *.par, *.sar, *.nar, *.jpi, *.hpi, *.kar, *.lpkg |
transitive | complete | runtime, dev | ||||
java-archive-cataloger *.zip |
transitive | complete | runtime, dev | ||||
java-archive-cataloger *.tar, *.tar.gz, *.tgz, *.tar.bz, *.tar.bz2, *.tbz, *.tbz2, *.tar.br, *.tbr, *.tar.lz4, *.tlz4, *.tar.sz, *.tsz, *.tar.xz, *.txz, *.tar.zst, *.tzst, *.tar.zstd, *.tzstd |
transitive | complete | runtime, dev | ||||
java-gradle-lockfile-cataloger gradle.lockfile* |
transitive | runtime, dev | |||||
java-jvm-cataloger release |
transitive | runtime, dev | |||||
java-pom-cataloger *pom.xml |
direct | complete | runtime, dev | ||||
Syft Configuration
| Configuration Key | Description |
|---|---|
java.maven-local-repository-dir |
Specifies the location of the local maven repository. When not set, defaults to ~/.m2/repository. |
java.maven-url |
Specifies the base URL(s) to use for fetching POMs and metadata from maven central or other repositories. When not set, defaults to https://repo1.maven.org/maven2. |
java.max-parent-recursive-depth |
Limits how many parent POMs will be fetched recursively before stopping. This prevents infinite loops or excessively deep parent chains. |
java.resolve-transitive-dependencies |
Enables resolving transitive dependencies for java packages found within archives. |
java.use-maven-local-repository |
Enables searching the local maven repository (~/.m2/repository by default) for parent POMs and other metadata. |
java.use-network |
Enables network operations for java package metadata enrichment, such as fetching parent POMs and license information. |
Vulnerability scanning
| Data Source | Disclosures | Fixes | Track by Source Package |
||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| GitHub Security Advisories (GHSA) | |||||
| National Vulnerability Database (NVD) | |||||
Grype Configuration
| Configuration Key | Description |
|---|---|
match.java.using-cpes |
Use CPE package identifiers to find vulnerabilities |