Announcing Java + Maven support

After months of hard work and just in time for the holidays, we are thrilled to announce the immediate availability of Java support in Gemnasium.com and Gemnasium Enterprise 1.5. Starting with an integration with Maven, you can use Gemnasium to monitor security vulnerabilities in your java codebase hosted in the cloud or in your self-hosted code repository of choice.

We would like to acknowledge our early adopters who helped us test this latest functionality during the private beta.

Gemnasium Enterprise 1.5

Apache Maven

Apache Maven

Gemnasium supports all packages available on Maven Central. Maven central repository is provided by the Maven community. It contains a large number of commonly used libraries. Gemnasium will synchronize with other repositories if necessary in the future.

Gemnasium has its own database of security advisories, aggregating many sources. Maven packages are now part of our process, and the alerts are already available for Gemnasium.com and Gemnasium Enterprise.

Pom.xml

Gemnasium is using the pom.xml found in your project. Pom files are the center of dependencies management since Maven 2. There are a number of limitations on pom.xml files support in Gemnasium:

  • Inheritance (coming soon)
  • Aggregation
  • Repositories
  • Plugins

Gradle and Ivy config files are not yet supported

Gemnasium Maven plugin

Gemnasium can find your project dependencies by parsing your pom.xml file. However, transitive dependencies can’t be retrieved directly with this single file. To provide the most accurate way to monitor your Java project for security vulnerabilities and provide the best support in Gemnasium, we are releasing a new Maven plugin.

The Gemnasium Maven Plugin analyses the dependency graph used by Maven to install the dependencies of your project and sends this information to the Gemnasium API. By using the plugin, Gemnasium will have more information about the real dependency graph (i.e. transitive dependencies, parent pom, dependencyManagement preferences) of your project than simply parsing your project’s pom.xml file.

This plugin has several advantages for Java users. It’s the perfect fit for your build process in Jenkins or any other CI/CD tool.

How to get started

We have documented detailed installation steps here

Please consult your Gemnasium account settings to retrieve your API key in order to complete your configuration and start monitoring your Java projects.

What’s next

Adding a new language is always a significant leap forward, and a lot of time is necessary for each one. Java was a big challenge but we learned a lot by digging into Maven specs and improved our Java development skills along the way.

Many of you already asked us to add support for Gradle and we are are committed to pursue this and other build tools in 2018.

As always, please leave us feedback at http://support.gemnasium.com/. We love hearing from you and how we can improve Gemnasium to meet your needs.