aquasecurity/trivy

feat(java): Support for Maven 4 settings.xml

Open

#9908 opened on Dec 9, 2025

View on GitHub
 (2 comments) (0 reactions) (0 assignees)Go (35,000 stars) (371 forks)batch import
help wantedkind/featuretarget/filesystem

Description

Description

Maven 4 introduces:

  • Project-specific settings at ${session.rootdir}/.mvn/settings.xml (apache/maven@e6303aa)
  • Repositories defined directly under settings > repositories (docs)

Trivy should support both behaviors.

Expected Behavior

  • Detect and read ${session.rootdir}/.mvn/settings.xml if present
  • Support repositories defined at the root of settings.xml (settings > repositories)

Discussed in https://github.com/aquasecurity/trivy/discussions/9896

Contributor guide

Tech stack
gojava
Domain
securitytooling
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
basic Go knowledgeunderstanding of Maven settings
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
55
Research direction
Review the existing Maven analysis code in Trivy (likely under pkg/fanal/analyzer/build/maven). Understand how Maven 3 settings are currently handled. Look at the linked discussion (#9896) for additional context. Refer to Maven 4 documentation for the new settings.xml behavior, particularly the ${session.rootdir}/.mvn/settings.xml path and repositories at the root level.