aquasecurity/trivy

feat(java): Support for Maven 4 settings.xml

Open

#9,908 opened on Dec 9, 2025

View on GitHub
 (2 comments) (0 reactions) (0 assignees)Go (371 forks)batch import
help wantedkind/featuretarget/filesystem

Repository metrics

Stars
 (35,000 stars)
PR merge metrics
 (Avg merge 5d 2h) (53 merged PRs in 30d)

Description

Description

Maven 4 introduces:

  • Project-specific settings at ${session.rootdir}/.mvn/settings.xml (apache/maven@e6303aa)
  • Repositories defined directly under settings > repositories (docs)

Trivy should support both behaviors.

Expected Behavior

  • Detect and read ${session.rootdir}/.mvn/settings.xml if present
  • Support repositories defined at the root of settings.xml (settings > repositories)

Discussed in https://github.com/aquasecurity/trivy/discussions/9896

Contributor guide