The Maven Rulepack

The Maven RulePack has the following default behavior:

  • Discovers all pom.xml files in the provided codebase recursively.

  • Runs Maven dependency plugin on all pom.xml files discovered.

To display an indication of how the dependency resolution occurs during scanning, run the following command locally on a given pom.xml: mvn –s /path/to/settings.xml dependency:tree
  • If you are utilizing an internal maven repository (artifactory), it may be necessary to upload a settings.xml file to properly resolve dependencies. This file can be applied when adding an application in the Continuous Dynamic Portal, or to all scans by the Threat Research Center.

    uploading a configuration file
  • If snapshot versions are present in the pom files for the version or branch being scanned, they should be available for download from Maven or from an internal Maven artifactory. This is especially important for included and parent poms.

  • If a parent pom or snapshot cannot be resolved, the scanner will substitute a mock pom to prevent the scan from failing. In this case, the scan is unlikely to achieve full coverage and you are likely to see a lack of dataflow findings.