Java and Kotlin
Applicability and integration
Available integrations:
SCM import
CLI and IDE: test or monitor your app
Available functions:
Test your app's SBOM using
pkg:mavenTest your app's packages using
pkg:maven
Technical specifications
Snyk supports Java analysis for Java versions up to SE 21 and is designed to process code from newer Java versions where feasible.
Supported frameworks and libraries
For Java and Kotlin, the following frameworks and libraries are supported:
Amazon AWS SDK - Comprehensive
Android Standard Library - Partial
Apache Commons - Comprehensive
Apache Tomcat - Partial
Apache XML - Comprehensive
apache.mahou - Comprehensive
bouncycastle - Comprehensive
com.azure.ai.openai - Comprehensive
com.google.ai.client.generativeai - Comprehensive
com.google.cloud.vertexai.generativeai - Comprehensive
com.google.re2j - Comprehensive
com.google.gwt - Partial
Dropwizard - Comprehensive
elasticsearch - Partial
FasterXML Jackson - Comprehensive
Google Guava - Comprehensive
grpc-java - Comprehensive
hibernate - Comprehensive
http4k - Comprehensive
io.jsonwebtoken - Comprehensive
Jakarta EE - Partial
Jakarta XML Services - Partial
Java EE - Partial
Java Servlet - Comprehensive
Java Servlet (javax) - Comprehensive
Java Server Pages - Partial
Java Standard Edition - Comprehensive
javalin - Partial
Jax-RS - Comprehensive
jooq - Comprehensive
Kyro - Comprehensive
Micronaut - Comprehensive
mongo-java-driver - Comprehensive
Netty - Comprehensive
okhttp3 - Comprehensive
org.apache.hc.client5 - Comprehensive
org.apache.http.client - Comprehensive
org.apache.sling - Partial
org.apache.tools.zip - Comprehensive
org.codehaus.plexus - Comprehensive
org.dom4j.io - Comprehensive
Playframework - Comprehensive
rxhttp - Comprehensive
Seam logger - Comprehensive
SnakeYaml - Comprehensive
Spongycastle - Comprehensive
Spring AI - Partial
Spring boot - Partial
Spring Web, MVC and JDBC - Comprehensive
Spring WebFlux - Comprehensive
Struts - Partial
Vaadin - Comprehensive
XStream - Comprehensive
Kotlin only:
Android Standard Library - Partial
com.aallam.openai - Comprehensive
com.expediagroup.graphql.server - Comprehensive
Javalin - Partial
Ktor - Comprehensive
Kotlin Standard Library - Comprehensive
khttp - Comprehensive
Supported package managers and package registries
Supported package managers: Maven and Gradle, with the following supported versions:
Maven:
3.*.For more information, see the Snyk Maven plugin readme.Gradle:
4.*,5.*,6.*,7.*,8.*.For more information, see the Snyk Gradle plugin readme.
Supported package registry: maven.org (Maven Central Repository)
Java and Kotlin for Snyk Code
For Java and Kotlin with Snyk Code, the following file formats are supported:
For Java:
.java,.jsp,.jspxFor Kotlin:
.kt
Available features:
Reports
Custom rules
Interfile analysis - Kotlin is fully supported
Interfile analysis - Android is partially supported
Java and Kotlin for Snyk Open Source
For Java and Kotlin with Snyk Open Source, the following file formats are supported:
For Maven:
pom.xmlFor Gradle:
build.gradle,build.gradle.kts
Reports are available for Java and Kotlin with Open Source.
Available features:
Reports
License scanning
Fix PRs (for Gradle only Fix advice is available)
Validating, monitoring, alerting, and gating for Java and Kotlin
For SCM integrations, Snyk allows you to run PR Checks to validate submitted changes to code and open source packages before merging. Snyk can also retest and alert on the default branch on a scheduled basis. You can see the results on the Projects page.
For CI/CD integrations, Snyk can passively monitor and provide a QA gate by failing build checks during testing for policy violations.
Snyk provides flexible capabilities, including:
Gradle Plugins (Community project)
Dedicated plugins for Jenkins, Circle CI, and others (see relevant marketplaces)
Using Github Actions
The Snyk CLI can be used in most CI/CD systems (see examples)
Fail the build based on criteria using options or the snyk-filter tool
There are containerized versions available
With Partner Platforms: Azure, Bitbucket, and AWS have built-in pipes/components for use with Snyk. For Java, Snyk suggests using the SCM integration with Bitbucket Cloud or using the CLI instead of the prepackaged Bitbucket Pipe.
Snyk can monitor container images and their open source or Linux based packages being used in production using Kubernetes integration, to notify customers of known vulnerabilities for applications in production. This feature is available for Enterprise plans only.
Where a production integration does not exist, use the snyk monitor CLI command to take a snapshot and monitor what is being pushed to production (available for all plans).
Java support for BOM
Maven supports bill of materials (BOM) POM files to centralize dependency versions known to work together.
A BOM file includes:
a
pompackaging type:<packaging>pom</packaging>.a
dependencyManagementsection.
Third-party Projects can provide BOM files to make dependency management easier. Here are some common examples:
spring-data-bom - The Spring team provides a BOM for their Spring Data Project.
jackson-bom - The Jackson Project provides a BOM for Jackson dependencies.
Example of a BOM file:
<project ...>
<modelVersion>4.0.0</modelVersion>
<groupId>snyk</groupId>
<artifactId>snyk-bom</artifactId>
<version>1.0</version>
<packaging>pom</packaging>
<name>Snyk Bill Of Materials</name>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.12</version>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.1.1</version>
</dependency>
</dependencies>
</dependencyManagement>
</project>The dependencyManagement section contains dependency elements. Each dependency is a lookup reference for Maven to determine the version to select for transitive (and direct) dependencies.
Defining a dependency in the dependencyManagement section ia used only for lookup reference, it does not add it to the dependency tree of the Project.
You can run mvn dependency:tree on the previous BOM example to show that Maven does not treat the contents as dependencies of the file itself.
This BOM can be imported into a Project POM as a parent. You do not need to specify the log4j version, as it inherits it from the BOM:
<project ...>
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>snyk</groupId>
<artifactId>snyk-bom</artifactId>
<version>1.0</version>
</parent>
<groupId>snyk</groupId>
<artifactId>snyk-project</artifactId>
<version>1.0.0-SNAPSHOT</version>
<packaging>jar</packaging>
<name>Snyk Project</name>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</dependency>
</project>Snyk applies the versions in the BOM dependencyManagement lookup to any dependencies declared in Project POMs that import it as a parent.
When Snyk scans the BOM files, the dependencyManagement contents are not considered dependencies of that file. These are only lookups.
For the previous examples, Snyk analyzes and treats the files as follows:
BOM file - Snyk does not create a Snyk Project for this file because it has no dependencies.
Project POM - Snyk creates a Project with a single dependency of
log4j,withv1.2.12. Snyk applies the rules from the parent BOM to identify the correct version forlog4j. The dependencycommons-loggingis not included, as it is not directly declared in the Project POM.
Snyk also offers fix advice, including recommendations for upgrading vulnerable packages with the Fix PR feature.
Fix PRs can only be created for dependencies whose versions are managed in the POM file where the issue is reported.
If the version or dependency is managed in a parent BOM, then even though Snyk sees that it could fix the vulnerable path by changing the version, it cannot apply the fix.
See additional resources for Java developers on security topics and best practices:
Last updated
Was this helpful?