Java
Java package analysis and vulnerability scanning capabilities
Package analysis
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
graalvm-native-image-cataloger application/x-executable, application/x-mach-binary, application/x-elf, application/x-sharedlib, application/vnd.microsoft.portable-executable (mimetype) | Transitive | Complete | Runtime, Dev | ||||
java-archive-cataloger *.jar, *.war, *.ear, *.par, *.sar, *.nar, *.jpi, *.hpi, *.kar, *.lpkg | Transitive | Complete | Runtime, Dev | ||||
java-archive-cataloger *.zip | Transitive | Complete | Runtime, Dev | ||||
java-archive-cataloger *.tar, *.tar.gz, *.tgz, *.tar.bz, *.tar.bz2, *.tbz, *.tbz2, *.tar.br, *.tbr, *.tar.lz4, *.tlz4, *.tar.sz, *.tsz, *.tar.xz, *.txz, *.tar.zst, *.tzst, *.tar.zstd, *.tzstd | Transitive | Complete | Runtime, Dev | ||||
java-gradle-lockfile-cataloger gradle.lockfile* | Transitive | Runtime, Dev | |||||
java-jvm-cataloger release | Transitive | Runtime, Dev | |||||
java-pom-cataloger *pom.xml | Direct | Complete | Runtime, Dev | ||||
Syft Configuration
| Configuration Key | Description |
|---|---|
java.maven-local-repository-dir | Specifies the location of the local maven repository. When not set, defaults to ~/.m2/repository. |
java.maven-url | Specifies the base URL(s) to use for fetching POMs and metadata from maven central or other repositories. When not set, defaults to https://repo1.maven.org/maven2. |
java.max-parent-recursive-depth | Limits how many parent POMs will be fetched recursively before stopping. This prevents infinite loops or excessively deep parent chains. |
java.resolve-transitive-dependencies | Enables resolving transitive dependencies for java packages found within archives. |
java.use-maven-local-repository | Enables searching the local maven repository (~/.m2/repository by default) for parent POMs and other metadata. |
java.use-network | Enables network operations for java package metadata enrichment, such as fetching parent POMs and license information. |
Archives
When scanning a Java archive (e.g. jar, war, ear, …), Syft will look for maven project evidence within the archive recursively.
This means that if a jar file contains other jar files, Syft will also look for pom.xml files within those nested jar files to identify packages (such as with shaded jars).
Additionally, if opted-in via configuration, Syft will scan non-java archive files (e.g., zip, tar, tar.gz, …) for Java package evidence as well.
Vulnerability scanning
| Data Source | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| GitHub Security Advisories (GHSA) | |||||
| National Vulnerability Database (NVD) | |||||
Grype Configuration
| Configuration Key | Description |
|---|---|
match.java.using-cpes | Use CPE package identifiers to find vulnerabilities |