Find vulnerabilities in Java or Kotlin with Maven

You can scan Java or Kotlin code in Maven repositories using the SCA agent command-line interface or the CI integrations.

For packaging instructions for Veracode Static Analysis, see Java packaging.

The requirements for running a scan and reviewing results for Kotlin repositories are the same as the requirements for Java repositories.

For packaging instructions for Veracode Static Analysis, see Packaging Kotlin applications.

Scan your code

You can scan any code repository to which you have access and meet the requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-java-maven

After you add a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your Maven code. Some scan directives are specific to Maven projects.

Before you begin:

Meet the requirements for the Veracode SCA agent.
Have access to the Maven repository.
Include the pom.xml file in the directory where you perform scans.
Use Maven 3.1 or later with the executable installed in the local path.
In your ~/.m2/settings.xml file, ensure that you properly set up any Nexus servers or authentications to successfully compile code.
Be able to run the mvn dependency:tree command from the root of the project where you perform scans.
If access to maven.apache.org is restricted, set the SRCCLR_MAVEN_DEP_TREE_COLLECTOR environment variable to true.

The Veracode SCA agent runs a specific command to identify the dependencies and their versions in your project. You can run this command before scanning to test that the agent can build the project:

mvn compile -Dcheckstyle.skip=true -e -DskipTests \
-DskipITs -Dmaven.test.skip=true --fail-fast --nsu -Denforcer.skip=true

To complete this task:

At the command line, run the scan command pointed to the directory of the NPM repository. For example:

srcclr scan path/to/{project_folder}

To scan code repositories hosted in Git, use the --url argument at the command line.

To view more verbose output during the scan process, add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

Scan the dependency tree

The Veracode SCA agent can scan the output of the Maven dependency:tree command. For dependency tree scanning, the agent requires you to specify the --stdin=maven input option.

You must compile the project before scanning to enable vulnerable method analysis.

Caution

Dependency tree scanning disables scanning for all other package managers.

You can scan the dependency tree for Maven using either of these methods:

Redirect the output of the Maven dependency:tree command directly to the Veracode SCA agent. For example:
```
mvn dependency:tree | srcclr scan --stdin=maven
```
Redirect the output of the dependency:tree command into a file and point the Veracode SCA agent to the file using the dependency_tree_file scan directive. For example, in Linux bash:
```
mvn dependency:tree > tree.txt
SRCCLR_DEPENDENCY_TREE_FILE=tree.txt srcclr scan --stdin=maven
```

If you want to specify the scope of dependencies included in the scan, we recommend setting the scope scan directive in the agent instead of setting the scope property of the mvn command. The scan directive allows more precise scope selection.

Fix example direct vulnerability

When your pom.xml configuration file specifically references a library, or you add the library to your project as a JAR file, Veracode SCA refers to the library as a direct dependency.

These example steps provide a fix for an Unauthorized Modification of Nodes vulnerability in Apache Kafka, version 0.9.0.1 in the example-java-maven repository.

To complete this task:

Edit the pom.xml file in the root of the project to match this example:

<dependency>
<groupId>org.apache.kafka</groupId>
<artifactId>kafka_2.11</artifactId>
<version>0.10.2.1</version>
</dependency>

Validate the fix.

Fix example transitive vulnerability

To fix a transitive library for Maven, override the transitive dependency by adding the appropriately versioned dependency as a direct library.

These steps provide a fix for a Timing Attack Via Comparison Function vulnerability in OrientDB Core, version 2.1.9 in the example-java-maven repository.

To complete this task:

Add this text to the pom.xml file in the root of the project:

<dependency>
<groupId>com.orientechnologies</groupId>
<artifactId>orientdb-core</artifactId>
<version>2.1.11</version>
</dependency>

Validate the fix.

Scan your code​

Scan the dependency tree​

Fix example direct vulnerability​

Fix example transitive vulnerability​

Did you find this helpful?

Scan your code

Scan the dependency tree

Fix example direct vulnerability

Fix example transitive vulnerability