# Java and Kotlin
## Applicability and integration
{% hint style="info" %}
Java and Kotlin are supported for Snyk Code and Snyk Open Source.
{% endhint %}
Available integrations:
* SCM import
* CLI and IDE: test or monitor your app
{% hint style="info" %}
**Release status**
Improved Gradle SCM scanning is in Early Access. For more information, see [SCM integrations with Maven and Gradle](https://docs.snyk.io/supported-languages/supported-languages-list/java-and-kotlin/git-repositories-with-maven-and-gradle).
{% endhint %}
## Technical specifications
Snyk supports Java analysis for Java versions up to SE 21 and is designed to process code from newer Java versions where feasible.
### Supported frameworks and libraries
For Java and Kotlin, the following frameworks and libraries are supported:
{% columns %}
{% column %}
* Amazon AWS SDK
* Android Standard Library
* Apache Commons
* Apache Tomcat
* Apache XML
* apache.mahou
* bouncycastle
* com.azure.ai.openai
* com.google.ai.client.generativeai
* com.google.cloud.vertexai.generativeai
* com.google.re2j
* com.google.gwt
* Dropwizard
* elasticsearch
* FasterXML Jackson
* Google Guava
* grpc-java
* hibernate
* http4k
* io.jsonwebtoken
* Jakarta EE
* Jakarta XML Services
* Java EE
* Java Servlet
* Java Servlet (javax)
* Java Server Pages
* Java Standard Edition
* javalin
* Jax-RS
* jooq
{% endcolumn %}
{% column %}
* Kyro
* Micronaut
* mongo-java-driver
* Netty
* okhttp3
* org.apache.hc.client5
* org.apache.http.client
* org.apache.sling
* org.apache.tools.zip
* org.codehaus.plexus
* org.dom4j.io
* Playframework
* rxhttp
* Seam logger
* SnakeYaml
* Spongycastle
* Spring AI
* Spring boot
* Spring Web, MVC and JDBC
* Spring WebFlux
* Struts
* Vaadin
* XStream
Kotlin only:
* Android Standard Library
* com.aallam.openai
* com.expediagroup.graphql.server
* Javalin
* Ktor
* Kotlin Standard Library
* khttp
{% endcolumn %}
{% endcolumns %}
### Supported package managers and package registries
* Supported package managers: [Maven](https://maven.apache.org) and [Gradle](https://gradle.org), with the following supported versions:
* Maven: `3.*` , `4.*`. For more information, see the [Snyk Maven plugin readme](https://github.com/snyk/snyk-mvn-plugin#support).
* Gradle: `4.*`, `5.*`, `6.*`, `7.*`, `8.*`, `9*`. For more information, see the [Snyk Gradle plugin readme](https://github.com/snyk/snyk-gradle-plugin#support).
* Supported package registry: [maven.org](https://maven.org/) (Maven Central Repository)
## Java and Kotlin for Snyk Code
For Java and Kotlin with Snyk Code, the following file formats are supported:
* For Java: `.java`, `.jsp`, `.jspx`
* For Kotlin: `.kt`
Available features:
* Reports
* Interfile analysis - Kotlin is fully supported
* Interfile analysis - Android is partially supported
## Java and Kotlin for Snyk Open Source
For Java and Kotlin with Snyk Open Source, the following file formats are supported:
* For Maven: `pom.xml`
* For Gradle: `build.gradle`, `build.gradle.kts`
Available features:
* Reports
* License scanning
* Fix PRs (for Gradle only Fix advice is available)
* Test your app's SBOM and packages using `pkg:maven` PURLs through the [SBOM test](https://docs.snyk.io/developer-tools/snyk-cli/commands/sbom-test) CLI command
## Validating, monitoring, alerting, and gating for Java and Kotlin
For SCM integrations, Snyk allows you to [run PR Checks](https://docs.snyk.io/scan-with-snyk/pull-requests/pull-request-checks) to validate submitted changes to code and open source packages before merging. Snyk can also retest and alert on the default branch on a scheduled basis. You can see the results on the **Projects** page.
For CI/CD integrations, Snyk can passively monitor and provide a QA gate by failing build checks during testing for policy violations.
Snyk provides flexible capabilities, including:
* [Gradle Plugins](https://snyk.io/blog/gradle-plugin-by-snyk-gradle-dependencies-scanning/) (Community project)
* [Maven Plugins](https://snyk.io/blog/snyk-maven-plugin-integrated-security-vulnerability-scanning-for-developers/)
* Dedicated plugins for Jenkins, Circle CI, and others (see relevant marketplaces)
* Using [Github Actions](https://snyk.io/blog/building-a-secure-pipeline-with-github-actions/)
* The Snyk CLI can be used in most CI/CD systems (see [examples](https://github.com/snyk-labs/snyk-cicd-integration-examples))
* Fail the build based on criteria using options or the [snyk-filter](https://docs.snyk.io/developer-tools/snyk-cli/scan-and-maintain-projects-using-the-cli/cli-tools/snyk-filter) tool
* There are [containerized](https://hub.docker.com/r/snyk/snyk) versions available
* With Partner Platforms: Azure, Bitbucket, and AWS have built-in pipes/components for use with Snyk. For Java, Snyk suggests using the SCM integration with Bitbucket Cloud or using the CLI instead of the prepackaged Bitbucket Pipe.
Snyk can monitor container images and their open source or Linux based packages being used in production using Kubernetes integration, to notify customers of known vulnerabilities for applications in production. This feature is available for Enterprise plans only.
Where a production integration does not exist, use the [snyk monitor](https://docs.snyk.io/developer-tools/snyk-cli/commands/monitor) CLI command to take a snapshot and monitor what is being pushed to production (available for all plans).
## Java support for BOM
Maven supports [bill of materials (BOM) POM files](https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#bill-of-materials-bom-poms) to centralize dependency versions known to work together.
A BOM file includes:
* a `pom` packaging type: `pom`.
* a `dependencyManagement` section.
Third-party Projects can provide BOM files to make dependency management easier. Here are some common examples:
* [spring-data-bom](https://github.com/spring-projects/spring-data-bom) - The Spring team provides a BOM for their Spring Data Project.
* [jackson-bom](https://github.com/FasterXML/jackson-bom) - The Jackson Project provides a BOM for Jackson dependencies.
Example of a BOM file:
{% code title="Example 1 - BOM file" %}
```xml
4.0.0
snyk
snyk-bom
1.0
pom
Snyk Bill Of Materials
log4j
log4j
1.2.12
commons-logging
commons-logging
1.1.1
```
{% endcode %}
The `dependencyManagement` section contains dependency elements. Each dependency is a lookup reference for Maven to determine the version to select for transitive (and direct) dependencies.
Defining a dependency in the `dependencyManagement` section ia used only for lookup reference, it does not add it to the dependency tree of the Project.
You can run `mvn dependency:tree` on the previous BOM example to show that Maven does not treat the contents as dependencies of the file itself.
This BOM can be imported into a Project POM as a parent. You do not need to specify the `log4j` version, as it inherits it from the BOM:
{% code title="Example 2 - Project POM" %}
```xml
4.0.0
snyk
snyk-bom
1.0
snyk
snyk-project
1.0.0-SNAPSHOT
jar
Snyk Project
log4j
log4j
```
{% endcode %}
Snyk applies the versions in the BOM `dependencyManagement` lookup to any dependencies declared in Project POMs that import it as a `parent`.
When Snyk scans the BOM files, the `dependencyManagement` contents are not considered dependencies of that file. These are only lookups.
For the previous examples, Snyk analyzes and treats the files as follows:
* BOM file - Snyk does not create a Snyk Project for this file because it has no dependencies.
* Project POM - Snyk creates a Project with a single dependency of `log4j,` with `v1.2.12`. Snyk applies the rules from the parent BOM to identify the correct version for `log4j`. The dependency `commons-logging` is not included, as it is not directly declared in the Project POM.
{% hint style="info" %}
If a BOM has direct dependencies outside `dependencyManagement`, then Snyk creates a Project for that BOM.
{% endhint %}
Snyk also offers fix advice, including recommendations for upgrading vulnerable packages with the [Fix PR feature](https://docs.snyk.io/scan-with-snyk/pull-requests#snyk-fix-prs).
Fix PRs can only be created for dependencies whose versions are managed in the POM file where the issue is reported.
If the version or dependency is managed in a parent BOM, then even though Snyk sees that it could fix the vulnerable path by changing the version, it cannot apply the fix.
See additional resources for Java developers on security topics and best practices:
* [Snyk Blog](https://snyk.io/blog/)
* [Securing your modern software supply chain](https://snyk.io/blog/software-supply-chain-security/)
* [Snyk for secure Java development](https://snyk.io/blog/snyk-for-secure-java-development/)
* [Advanced IntelliJ debugger features](https://snyk.io/blog/advanced-intellij-debugger-features/)
* [Spring4shell: the zero day RCE Spring Framework explained](https://snyk.io/blog/spring4shell-zero-day-rce-spring-framework-explained/)
* [Log4j vulnerability explained: Prevent Log4Shell RCE by updating to version 2.17.1](https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-44228/)
* [Best practices for managing Java dependencies](https://snyk.io/blog/best-practices-for-managing-java-dependencies/)
* [Exploring the Spring security authorization bypass (CVE-2022-31692)](https://snyk.io/blog/spring-security-authorization-bypass-cve-2022-31692/)