Vulnerability scanning on private packages - Maven

When letting Aikido scan your dependencies in repositories with private maven packages, Aikido would need to also have access to the private packages. You can now provide private Maven settings.xml configuration in Aikido for this.

Prerequisites

Prepare settings.xml

For private Maven packages, Aikido uses a settings.xml file to authenticate with the private registry.

Example settings.xml for accessing private packages on mvnrepository registry:

<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd">
  <servers>
    <server>
      <id>your-repository-id</id>
      <username>your-username</username> <!-- Optional, you can leave this as a dummy value -->
      <password>ACCESS_TOKEN</password>
    </server>
  </servers>
</settings>

Make sure your pom.xml files have releases and snapshots enabled

    <repositories>
        <repository>
            <id>your-repository-id</id>
            <url>https://...</url>
            <releases>
                <enabled>true</enabled>
            </releases>
            <snapshots>
                <enabled>true</enabled>
            </snapshots>
        </repository>
    </repositories>

Configuration in Aikido

Once the prerequisites are fulfilled, you can configure Aikido to authenticate with your private NuGet registry when updating the dependencies by following the steps below:

Go to your account's Settings > Repositories page in Aikido.
Click Actions > Private Registry Connections.
Select the Maven tab, and paste your settings.xml contents here.
Click Apply Changes to save the configuration.
In the next scans, this settings.xml will be used by Aikido.

Support for dependency scanning by language

C/C++ Lockfile-less Scanning