{"id":17064,"library":"snyk-mvn-plugin","title":"Snyk Maven CLI Plugin","description":"The `snyk-mvn-plugin` is an internal JavaScript/TypeScript component primarily designed to be used by the Snyk CLI tool. Its core function is to analyze Maven project dependencies by inspecting `pom.xml` files and archive files (like JAR/WAR) to build detailed dependency graphs. It supports optional inclusion of test-scoped dependencies, provides verbose output for comprehensive version resolution, and can generate cryptographic artifact fingerprints for supply chain integrity. The current stable version is 4.6.1, released on 2026-03-23, with a frequent release cadence indicating active development and continuous feature enhancements and bug fixes. This plugin is distinct from the `snyk-maven-plugin`, which is a native Maven plugin for integrating Snyk tasks directly into a Maven build process. This package specifically focuses on providing dependency metadata to the Snyk CLI for vulnerability scanning and requires Node.js 20 or higher for execution.","status":"active","version":"4.6.1","language":"javascript","source_language":"en","source_url":"https://github.com/snyk/snyk-mvn-plugin","tags":["javascript"],"install":[{"cmd":"npm install snyk-mvn-plugin","lang":"bash","label":"npm"},{"cmd":"yarn add snyk-mvn-plugin","lang":"bash","label":"yarn"},{"cmd":"pnpm add snyk-mvn-plugin","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"The package primarily exports an `inspect` function. As of Node.js 20+ requirement, it is best used with ESM `import` syntax. Direct `require` might fail if the package is pure ESM.","wrong":"const { inspect } = require('snyk-mvn-plugin');","symbol":"inspect","correct":"import { inspect } from 'snyk-mvn-plugin';"},{"note":"For TypeScript users, import `MavenOptions` (and potentially `InspectResult` or other types) for type safety when configuring the `inspect` function.","symbol":"MavenOptions","correct":"import type { MavenOptions } from 'snyk-mvn-plugin';"}],"quickstart":{"code":"import { inspect } from 'snyk-mvn-plugin';\nimport * as path from 'path';\nimport * as fs from 'fs';\n\nasync function runSnykMavenInspection() {\n  const projectRoot = process.cwd(); // Assume running from project root\n  const targetPom = path.join(projectRoot, 'pom.xml');\n\n  if (!fs.existsSync(targetPom)) {\n    console.error(`Error: pom.xml not found at ${targetPom}`);\n    console.error('Please ensure you run this from a Maven project root or specify targetFile.');\n    process.exit(1);\n  }\n\n  console.log(`Inspecting Maven project at: ${projectRoot}`);\n  console.log(`Using target file: ${targetPom}`);\n\n  try {\n    const options = {\n      dev: false, // Do not include development dependencies\n      includeProvenance: true, // Generate cryptographic fingerprints for artifacts\n      fingerprintAlgorithm: 'sha256', // Use SHA-256 for fingerprinting\n      // mavenRepository: '/path/to/custom/repo' // Uncomment and adjust if you have a custom local Maven repository\n    };\n\n    const result = await inspect(projectRoot, targetPom, options);\n\n    console.log('Inspection complete.');\n    console.log(`Found ${result.pkgs ? result.pkgs.length : 0} packages.`);\n    if (result.pkgs && result.pkgs.length > 0 && result.pkgs[0].info.purl) {\n      console.log('First package PURL with checksum:', result.pkgs[0].info.purl);\n    }\n    // Uncomment the line below for full JSON output\n    // console.log(JSON.stringify(result, null, 2));\n  } catch (error: any) {\n    console.error('Error during inspection:', error.message);\n    process.exit(1);\n  }\n}\n\nrunSnykMavenInspection();","lang":"typescript","description":"Demonstrates how to use the `inspect` function to analyze a Maven `pom.xml` file, including options for provenance and algorithm selection."},"warnings":[{"fix":"Ensure the Snyk CLI is installed and configured if attempting to perform security analysis. If integrating with Maven builds, consider using `io.snyk:snyk-maven-plugin` directly in your `pom.xml`.","message":"This package (`snyk-mvn-plugin`) is an internal component intended for use by the Snyk CLI tool. It is not designed for standalone vulnerability scanning without the Snyk CLI. For direct Maven build integration, refer to the `snyk-maven-plugin`.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Upgrade your Node.js environment to version 20 or newer. Use a Node.js version manager like `nvm` to easily switch versions.","message":"The package explicitly requires Node.js v20 or higher, as indicated by its `engines` field. Running with older Node.js versions (e.g., v18) will result in runtime errors.","severity":"breaking","affected_versions":">=4.0.0"},{"fix":"Ensure Maven is installed and configured in your system's PATH, or that a `mvnw` executable exists and is runnable in your project's root directory.","message":"The `inspect` function relies on a local Maven installation (or `mvnw` wrapper) being available in the environment and accessible in the system PATH to perform dependency resolution.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Run a standard Maven build command (e.g., `mvn install` or `mvn dependency:resolve`) beforehand to ensure all necessary artifacts are present in your local Maven repository.","message":"When enabling `includeProvenance` for artifact fingerprinting, the Maven artifacts must already be downloaded and available in the configured local or custom Maven repository. The plugin does not perform artifact downloads itself.","severity":"gotcha","affected_versions":">=4.3.0"},{"fix":"Upgrade to `snyk-mvn-plugin` version `2.31.3` or higher immediately. For CI/CD environments, ensure Snyk Docker images are updated as of 2022-11-29 or later.","message":"Versions prior to `2.31.3` (specifically `2.2.0` to `2.31.2`) were vulnerable to Command Injection (CVE-2022-40764, CVE-2022-22984) due to an incomplete fix. This could allow attackers to run arbitrary commands on the host system, particularly in CI/CD pipelines.","severity":"breaking","affected_versions":"<2.31.3"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"Install the package using `npm install snyk-mvn-plugin` or `yarn add snyk-mvn-plugin`. Verify the import path is exactly `snyk-mvn-plugin`.","cause":"The package is not installed in the project or the import path is incorrect.","error":"Error: Cannot find module 'snyk-mvn-plugin' or its corresponding type declarations."},{"fix":"Upgrade your Node.js environment to version 20 or newer. Use a Node.js version manager (like `nvm` or `volta`) to manage different Node.js versions.","cause":"The Node.js version in use is older than the minimum required by the package.","error":"Error: Must be run with Node.js version >= 20.0.0"},{"fix":"Ensure that Maven is installed on your system and its binary directory is added to your system's PATH environment variable. Alternatively, ensure `mvnw` is present and executable in the project root.","cause":"The Maven executable (`mvn` or `mvnw`) was not found in the system PATH or is not accessible, preventing dependency tree analysis.","error":"Error: Command failed: mvn -B dependency:tree"},{"fix":"Use ESM `import { inspect } from 'snyk-mvn-plugin';` syntax. Ensure your project's `package.json` specifies `\"type\": \"module\"` if it's a pure ESM project, or use a bundler that correctly handles ESM/CJS interop.","cause":"Attempting to use a CommonJS `require` syntax with an ESM-only package, or incorrect named import for an ESM module.","error":"TypeError: inspect is not a function"}],"ecosystem":"npm","meta_description":null}