npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

snyk-mvn-plugin

v4.5.0

Published

Snyk CLI Maven plugin

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

snyk-adminsnyk-admin

Keywords

Readme

Snyk logo

Known Vulnerabilities

Snyk helps you find, fix and monitor for known vulnerabilities in your dependencies, both on an ad hoc basis and as part of your CI (Build) system.

| :information_source: This repository is only a plugin to be used with the Snyk CLI tool. To use this plugin to test and fix vulnerabilities in your project, install the Snyk CLI tool first. Head over to snyk.io to get started. | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |

Snyk Maven CLI Plugin

This plugin provides dependency metadata for Maven projects that use mvn and have a pom.xml file. It is an internal component intended for use by our CLI tool.

If you are looking to add tasks to your Maven build process you should use our Maven Plugin.

Features

  • Dependency Tree Analysis: Analyzes Maven dependency trees to build dependency graphs
  • Test Scope Support: Optional inclusion of test-scoped dependencies
  • Verbose Mode: Detailed dependency analysis with version resolution information
  • Archive Scanning: Direct analysis of JAR/WAR files
  • Artifact Fingerprinting: Generate cryptographic fingerprints for Maven artifacts

API Usage

The plugin exports an inspect function that analyzes Maven projects:

import { inspect } from 'snyk-mvn-plugin';

const result = await inspect(rootPath, targetFile, options);

Parameters

  • rootPath (string): The root directory of the Maven project
  • targetFile (string, optional): Path to the pom.xml file or archive to analyze
  • options (MavenOptions, optional): Configuration options

Options

| Option | Type | Default | Description | |--------|------|---------|-------------| | dev | boolean | false | Include development dependencies | | scanAllUnmanaged | boolean | false | Scan all unmanaged archive files | | allProjects | boolean | false | Include all projects in multi-module builds | | mavenAggregateProject | boolean | false | Treat as Maven aggregate project | | mavenVerboseIncludeAllVersions | boolean | false | Include all dependency versions in verbose mode | | includeProvenance | boolean | false | Generate cryptographic fingerprints for artifacts to prove origin | | fingerprintAlgorithm | string | 'sha1' | Hash algorithm ('sha1', 'sha256', 'sha512') | | mavenRepository | string | - | Custom Maven repository path |

Package Provenance

The plugin can generate cryptographic fingerprints (hashes) for Maven artifacts to enhance security and integrity verification.

Prerequisites

  • Maven repository must be accessible (local or custom path)
  • Artifacts must be downloaded and available in the repository
  • Supported file types: JAR, WAR, AAR, and other Maven artifacts

Configuration

Enable fingerprinting by setting includeProvenance: true:

const result = await inspect(rootPath, 'pom.xml', {
  includeProvenance: true,
  fingerprintAlgorithm: 'sha256',
  mavenRepository: '/path/to/custom/repo'
});

Supported Hash Algorithms

  • sha1 - SHA-1 (160-bit) - Default
  • sha256 - SHA-256 (256-bit)
  • sha512 - SHA-512 (512-bit)

Output Format

When provenance is enabled, the dependency graph includes PURL (Package URL) identifiers with checksum qualifiers:

{
  "pkgs": [
    {
      "id": "com.example:[email protected]",
      "info": {
        "name": "com.example:artifact",
        "version": "1.0.0",
        "purl": "pkg:maven/com.example/[email protected]?checksum=sha256%3Aabc123def456789..."
      }
    }
  ],
  "graph": {
    "nodes": [
      {
        "nodeId": "com.example:artifact:jar:1.0.0",
        "pkgId": "com.example:[email protected]",
        "deps": []
      }
    ]
  }
}

PURL Format

Package URLs follow the standard format with checksum qualifiers:

Error Handling

If fails for an artifact, the PURL will not include a checksum qualifier:

{
  "info": {
    "name": "com.example:missing-artifact",
    "version": "1.0.0",
    "purl": "pkg:maven/com.example/[email protected]"
  }
}

Example Timing Output

Timing information is available via debug logging (DEBUG=snyk-mvn-plugin or -d from cli):

=== Provenance Timing Summary ===
Total artifacts: 25
Successful: 23
Failed: 2
Total time: 1,234.56ms
Average time per artifact: 49.38ms
Fastest: 12.34ms
Slowest: 156.78ms
=====================================

Support

❌ Not supported ❓ No issues expected but not regularly tested ✅ Supported and verified with tests

Supported OS

| OS | Supported | | ------- | --------- | | Windows | ✅ | | Linux | ✅ | | OSX | ️✅ |

Supported Node versions

| Node | Supported | |------| --------- | | 20 | ✅ |

Supported Maven versions

This plugin supports Maven versions 3.*