Maven Package Scanner
The Maven package scanner automatically detects and extracts all third-party dependencies declared in your Java projects that use Maven as their build and dependency management tool.
What It Does
Default file: pom.xml
When you enable the Maven scanner during SBOM creation, CAST SBOM Manager will:
- Extract direct dependencies only - not transitive dependencies - including their names and versions
- Follow parent POM inheritance and multi-module structures
- Resolve version numbers that use Maven properties or variables
- Handle multi-module projects where multiple components are defined together as a single Maven build
- Process dependency management sections that define version constraints
- Include profile-based dependencies that are activated by default
What Gets Detected
The Maven scanner identifies direct dependencies only. It does not resolve transitive dependencies. Specifically, it captures:
- Direct dependencies declared in
<dependencies>sections - Managed dependencies defined in
<dependencyManagement>sections - Dependencies inherited from parent POMs
- Dependencies from active Maven profiles
- Multi-module project dependencies
- Dependencies using version properties and variables
- Imported BOM (Bill of Materials) dependencies
How It Works
Basic Project Structure
For a standard Maven project with a single pom.xml file, the scanner reads the file and extracts all dependency declarations. Each dependency includes:
- Group ID and Artifact ID - Uniquely identifies the library
- Version - The specific version your project uses
Parent POM Inheritance
Many Maven projects inherit configuration from a parent POM. The scanner:
- Locates and reads parent POMs referenced in your project
- Merges parent configuration with your project's configuration
- Resolves versions that are inherited from parent projects
- Can access parent POMs from your local Maven repository if needed
Multi-Module Projects
For projects organized as Maven multi-modules (where a parent POM defines multiple child modules):
- Identifies the parent POM that defines the module structure
- Discovers all child modules referenced in the parent
- Processes each module separately to extract its dependencies
- Maintains the relationship between modules
Version Resolution
Maven projects often define versions flexibly using properties and variables. The scanner:
- Reads property definitions from
<properties>sections - Resolves version variables like
${spring.version}to their actual values - Handles nested property references
- Resolves Maven built-in properties like
${project.version} - Captures version ranges (e.g.,
[1.0,2.0)) as-is without resolving to specific versions - Falls back to dependency management when a dependency has no version specified
- Records dependencies without version information if no version can be determined
Dependency Management
Maven's dependency management feature allows projects to define version constraints without directly adding dependencies. The scanner:
- Processes
<dependencyManagement>sections - Applies managed versions to dependencies that don't specify versions
- Handles imported BOMs (Bill of Materials) that define version sets
- Can access external BOMs from your local Maven repository
External Repository Access
When configured with access to your local Maven repository (typically ~/.m2/repository), the scanner can:
- Resolve parent POMs not present in the project source
- Import external BOM files referenced by your dependencies
- Access complete dependency metadata for accurate version resolution
What It Doesn't Detect
The Maven scanner focuses on declared dependencies only. It does not detect:
- Libraries manually copied into your project (not declared in POMs)
- Transitive dependencies (indirect dependencies of your dependencies)
- Runtime-only libraries loaded dynamically
- Embedded or copy-pasted code from open source projects
For complete open source detection, enable the OSS Knowledge Base scanning option in the Scanners step, which analyzes actual file content to identify undeclared components.