Secure Java dependencies with Maven repositories

Cover image

If you are looking to host all your organization’s internal Java packages and public dependencies in a private repository - use a secure Maven repository from Bytesafe.

Maven is a build tool to manage Java, Kotlin, Scala projects (or other similar JVM based languages). With a single source for both developers and CI/CD, you can protect the software supply chain and make sure every user has access to your organizations approved dependencies.

With the recent disclosure of multiple critical vulnerabilities in the widely used open source logging framework Apache log4j, keeping track of and securing JVM dependencies is more relevant than ever. The game-changing exploits in log4j have made it apparent for organizations that keeping track of the code they are using is a necessity - else they risk being exploited by a vulnerability that gives full server control.

With hundreds of automated CI/CD pipelines and decentralized developers this is not an easy task - but definitely achievable with the right tools.

This post describes how you easily set up a secure and private Maven repository. Bytesafe’s repositories are hosted, you can focus on securing your supply chain and get started instantly without having to think of infrastructure.

Compatible with both Maven or Gradle - build your projects securely with the build tools of your choice.

Reasons to use a private Maven repository

Open source is everywhere, to the point of it almost being synonymous with software development. Yet a secure supply chain requires organizations to take responsibility for the code they are using - and not allow free entry of untrusted code into their organization from public sources.

log4j version quarantined

Vulnerable version of log4j automatically quarantined by the Bytesafe Dependency Firewall, preventing it from being used in your organization


Secure open source dependencies for developers and CI/CD systems. With 1300+ public repositories and over 24 million Java artifacts available, make sure you can trust the dependencies used in your organization. Enforce your security policies and automatically quarantine unwanted dependencies. Avoid compromised new versions with a set delay before newly published versions are allowed in your organization.

Share internal packages. With a wide range of applications that depend on each other, organizations require private repositories to share code while keeping artifacts private and secure.

Getting started with a secure Maven repository

Using a private Maven repository is no more complicated than using the default repository.

All popular build tools, like Maven & Gradle, support private repositories, either as a target when deploying packages or as a source for dependencies. With some simple config you can have your build clients fetch dependencies from Bytesafe in place of Maven Central.

These steps assume users have access to a Bytesafe workspace. If not - Sign up for Bytesafe today for free.

Create a Maven repository

To get started you need to create a Maven repository and configure access to it for your client of choice.

create a Maven registry in Bytesafe

After you have created your Maven repository, you need to add a secure access token to your project.

The access token ensures only intended users have access to packages stored in Bytesafe. Create an access token in Bytesafe and add it to your list of repositories in settings.xml your configuration file for Maven.

<!-- Add the access token and id configuration to settings.xml -->

<servers>

<server>

<id>{MAVEN-REGISTRY}</id>

<username>{USER}</username>

<password>{ACCESS-TOKEN}</password>

<configuration>

<httpConfiguration>

<all>

<usePreemptive>true</usePreemptive>

</all>

</httpConfiguration>

</configuration>

</server>

</servers>

The id in settings.xml needs to match other configuration provided for uploading packages and installing dependencies.

Upload a Maven package

Maven artifacts can be added to Bytesafe either using mvn deploy or by uploading files manually.

To deploy using the mvn client users need to add the necessary configuration to the project pom.xml file.

<!-- Add the repository and snapshotRepository configuration to pom.xml -->

<distributionManagement>

<repository>

<id>{MAVEN-REGISTRY}</id>

<url>https://{WORKSPACE}.bytesafe.dev/maven/{REGISTRY}/</url>

</repository>

<snapshotRepository>

<id>{MAVEN-REGISTRY}</id>

<url>https://{WORKSPACE}.bytesafe.dev/maven/{REGISTRY}/</url>

</snapshotRepository>

</distributionManagement>

Users can choose to deploy snapshots and release versions to either the same or different registries.

With your Maven project configured you can deploy artifacts to your private registry for other internal developers or CI/CD to access.

# Deploy artifacts to Bytesafe using Maven

$ mvn clean deploy

Resolving Maven project dependencies

With a public repository, like Maven Central, configured as an upstream for a registry, Bytesafe will proxy public dependencies and pull any required (and allowed) version into your private Maven repository.

It’s recommended to use a general mirror configuration to set the private Maven repository as the package source. This overrides any project specific configuration, making sure security features are not bypassed for individual projects.

<!-- Mirror configuration in settings.xml -->

<mirrors>

<mirror>

<id>{MAVEN-REGISTRY}</id>

<mirrorOf>*</mirrorOf>

<url>https://{WORKSPACE}.bytesafe.dev/maven/{REGISTRY}/</url>

</mirror>

</mirrors>

Any Maven dependency specified as a dependency in your projects with <dependency> in the pom.xml file, will be fetched when building your project.

<!-- Add dependencies be specifying them in the pom.xml file -->

<dependency>

<groupId>{GROUP_ID}</groupId>

<artifactId>{ARTIFACT_ID}</artifactId>

<version>{PACKAGE_VERSION}</version>

</dependency>

With project dependencies specified in the pom.xml file, you can install dependencies using regular Maven commands like mvn install or mvn verify.

# Install Maven dependencies from Bytesafe

$ mvn clean install

Installing SNAPSHOT versions

To install snapshot versions (X.-SNAPSHOT) with Maven, users are required to explicitly specify the use of a snapshot repository. This is because there is no default snapshot repository associated with Maven.

This can be set either per project in the pom.xml file or project agnostic as part of a user’s profile. See the documentation for more details.

Using Gradle with your Maven repository

Gradle is a build automation tool for building JVM-based projects that works with Maven compatible repositories.

To resolve project dependencies from Bytesafe, the Maven repository needs to be declared in the build.gradle file.

// repository configuration in build.gradle

repositories {

maven {

name = 'bytesafe'

url 'https://{WORKSPACE}.bytesafe.dev/maven/{REGISTRY}/'

credentials {

username = 'bytesafe'

password = '{ACCESS-TOKEN}'

}

}

}

// specify project dependencies

dependencies {

implementation '{GROUP_ID}:{ARTIFACT_ID}:{VERSION}'

}

Consider storing credentials in ~/.gradle/gradle.properties file to avoid unintended distribution of credentials

To publish a package using Gradle, enable the maven-publish plugin and specify the target publishing repository in the build.gradle file.

// enable the maven-publish plugin

plugins {

id 'maven-publish'

}

publishing {

publications {

maven(MavenPublication) {

}

}

repositories {

maven {

name = 'bytesafe'

url = 'https://{WORKSPACE}.bytesafe.dev/maven/{REGISTRY}/'

credentials {

username = 'bytesafe'

password = '{ACCESS-TOKEN}'

}

}

}

With these quick additions to your Gradle project, you should be able to both build and deploy your own project to Bytesafe as well as install any required dependencies.

Want to know more about Bytesafe Maven repositories?

Refer to the Bytesafe documentation on Maven repositories for more in-depth information and guides.

Want to try it for yourself? Sign up for Bytesafe and get started today for free.

Security is never easy. Let us guide you through the jungle!

We’ll keep you up to date on supply chain security and send you the latest information.