Java and Kotlin

Applicability and integration

Java and Kotlin are supported for Snyk Code and Snyk Open Source.

Available integrations:

SCM import
CLI and IDE: test or monitor your app

Release status

Improved Gradle SCM scanning is in Early Access. For more information, see SCM integrations with Maven and Gradle.

Available functions:

Test your app's SBOM using pkg:maven
Test your app's packages using pkg:maven

Technical specifications

Snyk supports Java analysis for Java versions up to SE 21 and is designed to process code from newer Java versions where feasible.

Supported frameworks and libraries

For Java and Kotlin, the following frameworks and libraries are supported:

Amazon AWS SDK
Android Standard Library
Apache Commons
Apache Tomcat
Apache XML
apache.mahou
bouncycastle
com.azure.ai.openai
com.google.ai.client.generativeai
com.google.cloud.vertexai.generativeai
com.google.re2j
com.google.gwt
Dropwizard
elasticsearch
FasterXML Jackson
Google Guava
grpc-java
hibernate
http4k
io.jsonwebtoken
Jakarta EE
Jakarta XML Services
Java EE
Java Servlet
Java Servlet (javax)
Java Server Pages
Java Standard Edition
javalin
Jax-RS
jooq
Kyro
Micronaut
mongo-java-driver
Netty
okhttp3
org.apache.hc.client5
org.apache.http.client
org.apache.sling
org.apache.tools.zip
org.codehaus.plexus
org.dom4j.io
Playframework
rxhttp
Seam logger
SnakeYaml
Spongycastle
Spring AI
Spring boot
Spring Web, MVC and JDBC
Spring WebFlux
Struts
Vaadin
XStream

Kotlin only:

Android Standard Library
com.aallam.openai
com.expediagroup.graphql.server
Javalin
Ktor
Kotlin Standard Library
khttp

Supported package managers and package registries

Supported package managers: Maven and Gradle, with the following supported versions:
- Maven: 3.* , 4.*. For more information, see the Snyk Maven plugin readme.
- Gradle: 4.*, 5.*, 6.*, 7.*, 8.*, 9*. For more information, see the Snyk Gradle plugin readme.
Supported package registry: maven.org (Maven Central Repository)

Java and Kotlin for Snyk Code

For Java and Kotlin with Snyk Code, the following file formats are supported:

For Java: .java, .jsp, .jspx
For Kotlin: .kt

Available features:

Reports
Custom rules
Interfile analysis - Kotlin is fully supported
Interfile analysis - Android is partially supported

Java and Kotlin for Snyk Open Source

For Java and Kotlin with Snyk Open Source, the following file formats are supported:

For Maven: pom.xml
For Gradle: build.gradle, build.gradle.kts

Reports are available for Java and Kotlin with Open Source.

Available features:

Reports
License scanning
Fix PRs (for Gradle only Fix advice is available)

Validating, monitoring, alerting, and gating for Java and Kotlin

For SCM integrations, Snyk allows you to run PR Checks to validate submitted changes to code and open source packages before merging. Snyk can also retest and alert on the default branch on a scheduled basis. You can see the results on the Projects page.

For CI/CD integrations, Snyk can passively monitor and provide a QA gate by failing build checks during testing for policy violations.

Snyk provides flexible capabilities, including:

Gradle Plugins (Community project)
Maven Plugins
Dedicated plugins for Jenkins, Circle CI, and others (see relevant marketplaces)
Using Github Actions
The Snyk CLI can be used in most CI/CD systems (see examples)
- Fail the build based on criteria using options or the snyk-filter tool
- There are containerized versions available
With Partner Platforms: Azure, Bitbucket, and AWS have built-in pipes/components for use with Snyk. For Java, Snyk suggests using the SCM integration with Bitbucket Cloud or using the CLI instead of the prepackaged Bitbucket Pipe.

Snyk can monitor container images and their open source or Linux based packages being used in production using Kubernetes integration, to notify customers of known vulnerabilities for applications in production. This feature is available for Enterprise plans only.

Where a production integration does not exist, use the snyk monitor CLI command to take a snapshot and monitor what is being pushed to production (available for all plans).

Java support for BOM

Maven supports bill of materials (BOM) POM files to centralize dependency versions known to work together.

A BOM file includes:

a pom packaging type: <packaging>pom</packaging>.
a dependencyManagement section.

Third-party Projects can provide BOM files to make dependency management easier. Here are some common examples:

spring-data-bom - The Spring team provides a BOM for their Spring Data Project.
jackson-bom - The Jackson Project provides a BOM for Jackson dependencies.

Example of a BOM file:

Example 1 - BOM file

<project ...>
    <modelVersion>4.0.0</modelVersion>
    <groupId>snyk</groupId>
    <artifactId>snyk-bom</artifactId>
    <version>1.0</version>
    <packaging>pom</packaging>
    <name>Snyk Bill Of Materials</name>
    
    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>log4j</groupId>
                <artifactId>log4j</artifactId>
                <version>1.2.12</version>
            </dependency>
            <dependency>
                <groupId>commons-logging</groupId>
                <artifactId>commons-logging</artifactId>
                <version>1.1.1</version>
            </dependency>
        </dependencies>
    </dependencyManagement>
</project>

The dependencyManagement section contains dependency elements. Each dependency is a lookup reference for Maven to determine the version to select for transitive (and direct) dependencies.

Defining a dependency in the dependencyManagement section ia used only for lookup reference, it does not add it to the dependency tree of the Project.

You can run mvn dependency:tree on the previous BOM example to show that Maven does not treat the contents as dependencies of the file itself.

This BOM can be imported into a Project POM as a parent. You do not need to specify the log4j version, as it inherits it from the BOM:

Example 2 - Project POM

<project ...>
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>snyk</groupId>
        <artifactId>snyk-bom</artifactId>
        <version>1.0</version>
    </parent>
    
    <groupId>snyk</groupId>
    <artifactId>snyk-project</artifactId>
    <version>1.0.0-SNAPSHOT</version>
    <packaging>jar</packaging>
    <name>Snyk Project</name>
    
    <dependency>
        <groupId>log4j</groupId>
        <artifactId>log4j</artifactId>
    </dependency>
</project>

Snyk applies the versions in the BOM dependencyManagement lookup to any dependencies declared in Project POMs that import it as a parent.

When Snyk scans the BOM files, the dependencyManagement contents are not considered dependencies of that file. These are only lookups.

For the previous examples, Snyk analyzes and treats the files as follows:

BOM file - Snyk does not create a Snyk Project for this file because it has no dependencies.
Project POM - Snyk creates a Project with a single dependency of log4j, with v1.2.12. Snyk applies the rules from the parent BOM to identify the correct version for log4j. The dependency commons-logging is not included, as it is not directly declared in the Project POM.

If a BOM has direct dependencies outside dependencyManagement, then Snyk creates a Project for that BOM.

Snyk also offers fix advice, including recommendations for upgrading vulnerable packages with the Fix PR feature.

Fix PRs can only be created for dependencies whose versions are managed in the POM file where the issue is reported.

If the version or dependency is managed in a parent BOM, then even though Snyk sees that it could fix the vulnerable path by changing the version, it cannot apply the fix.

See additional resources for Java developers on security topics and best practices:

PreviousGroovy NextSnyk CLI for Java and Kotlin

Last updated 26 days ago

Was this helpful?