How Maven’s New Vulnerability Highlight Helps Prevent Log4j‑Style Exploits

Apache Maven’s official response to the newly added “Vulnerabilities” column in the Maven Central repository (mvnrepository.com) is shown below.

The new red‑highlighted “Vulnerabilities” field displays known CVE information for each dependency version, helping developers notice and evaluate security issues.

Note that only publicly disclosed vulnerabilities are shown; the Maven Central repository itself does not scan for vulnerabilities.

The measure is timely, aiming to introduce a mechanism similar to the response to the Log4j2 vulnerability. According to Google, over 35,000 Java libraries are affected by Log4j, accounting for about 8 % of the artifacts stored in Maven Central, and only 48 % of vulnerable artifacts have been fixed.

If you prefer not to use libraries with known security issues, you can use the OWASP Dependency‑Check Maven plugin to scan your project:

<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>6.5.1</version>
    <executions>
        <execution>
            <goals>
                <goal>check</goal>
            </goals>
        </execution>
    </executions>
</plugin>

Running mvn verify produces output such as:

One or more dependencies were identified with known vulnerabilities in ctlog:<br/><br/>httpclient-4.3.3.jar (cpe:/a:apache:httpclient:4.3.3, org.apache.httpcomponents:httpclient:4.3.3) : CVE-2015-5262, CVE-2014-3577<br/>bcprov-jdk15on-1.49.jar (cpe:/a:bouncycastle:bouncy-castle-crypto-package:1.49, org.bouncycastle:bcprov-jdk15on:1.49) : CVE-2015-7940<br/><br/>See the dependency-check report for more details.

The plugin can also generate a vulnerability report to assist security teams in evaluating and mitigating risks.