DEV Community

Cover image for Time for secure dependencies? Private Maven repository for Java, Kotlin, Scala
Andreas Sommarström
Andreas Sommarström

Posted on • Originally published at bytesafe.dev

Time for secure dependencies? Private Maven repository for Java, Kotlin, Scala

Maven is a build tool to manage Java, Kotlin, Scala or similar JVM based languages projects - including all its dependencies, both open source and private. A great way to make sure your organization uses trusted and approved dependencies is to use a private Maven repository - and it's no more complicated than using the default repository.

The two main reasons to use private Maven repositories for your JVM packages:

  1. Secure source for open source dependencies. With 1300+ public repositories and over 24 million Java artifacts, organizations need to control the code they are using - and not allow free entry of untrusted components.

  2. Distribute internal components. With a wide range of applications that depend on each other, organizations require private repositories to share code between services while keeping artifacts private and secure.

Protect your software supply chain and make sure every developer and CI/CD system uses trusted dependencies from a single secure source. With hundreds of automated CI/CD pipelines and decentralized developers this is not an easy task - but definitely achievable with the right tools.

With the recent disclosures of critical vulnerabilities in the widely used open source framework log4j, this is more relevant than ever.

Apache log4j vulernabilities

The exploits in log4j have once again stressed the need to keep track of open source dependencies - else risk being exploited by vulnerabilities that could give full server control.

This post describes how you easily set up a secure and private Maven repository - so you can stay in control of the dependencies you are using.

Require a private Maven repository of your own? Bytesafe repositories are compatible with both Maven and Gradle - hosted so you can get started instantly without having to think of infrastructure.

Getting started with a secure Maven repository

With minimal configuration your build clients can fetch trusted dependencies from your private repository instead of relying on (the default) Maven Central.

The popular build tools Maven & Gradle fully support private repositories, both as the target when deploying packages or as the source when fetching dependencies.

Create a Maven repository

To get started you need to create a Maven repository and configure access to it for your client of choice.

create a Maven registry in Bytesafe

After you have created your Maven repository, you need to add an access token to your project. The access token ensures only intended users have access to packages stored in the private registry.

Create an access token and add it to your list of repositories in your configuration file for Maven (settings.xml).

<!-- Add the access token and id configuration to settings.xml -->
<servers> 
    <server>
        <id>{MAVEN-REGISTRY}</id>
        <username>{USER}</username>
        <password>{ACCESS-TOKEN}</password>
        <configuration>
            <httpConfiguration>
                <all>
                    <usePreemptive>true</usePreemptive>
                </all>
            </httpConfiguration>
        </configuration>
    </server>
</servers>
Enter fullscreen mode Exit fullscreen mode

The id in settings.xml needs to match other configuration provided for uploading packages and installing dependencies.

Upload a Maven package

Maven artifacts can be added to the private repository using mvn deploy (or by uploading files manually).

To deploy using the mvn client users need to add the necessary configuration to the project pom.xml file.

<!-- Add the repository and snapshotRepository configuration to pom.xml -->
<distributionManagement>
    <repository>
        <id>{MAVEN-REGISTRY}</id>
        <url>https://{WORKSPACE}.bytesafe.dev/maven/{REGISTRY}/</url>
    </repository>
    <snapshotRepository>
        <id>{MAVEN-REGISTRY}</id
        <url>https://{WORKSPACE}.bytesafe.dev/maven/{REGISTRY}/</url>
    </snapshotRepository>
</distributionManagement>
Enter fullscreen mode Exit fullscreen mode

Users can choose to deploy snapshots and release versions to either the same or different registries.

With your Maven project configured you can deploy artifacts to your private registry either manually or as part of your CI/CD chain.

# Deploy artifacts to Bytesafe using Maven
$ mvn clean deploy
Enter fullscreen mode Exit fullscreen mode

As soon as the process has completed, the artifact will be available and accessible.

Resolving Maven project dependencies

A major part of building a Maven project is resolving any dependencies specified for the project. Any <dependency> specified in the pom.xml file, will be fetched when building the project.

When using private repositories from Bytesafe, public dependencies will be proxied, pulling any required (and allowed) version into your private Maven repository. Using public repositories like Maven Central as an upstream makes sure you can access your organization's required open source dependencies - while maintaining security and control.

To make sure security features are not bypassed for individual projects, it's recommended to use a mirror configuration to set the private Maven repository as the general package source.

<!-- Mirror configuration in settings.xml -->
<mirrors>
    <mirror>
        <id>{MAVEN-REGISTRY}</id>
        <mirrorOf>*</mirrorOf>
        <url>https://{WORKSPACE}.bytesafe.dev/maven/{REGISTRY}/</url>
    </mirror>
</mirrors>
Enter fullscreen mode Exit fullscreen mode

With project dependencies specified in the pom.xml file, you can install dependencies using regular Maven commands like mvn install or mvn verify.

# Install Maven dependencies from Bytesafe
$ mvn clean install
Enter fullscreen mode Exit fullscreen mode

Installing SNAPSHOT versions

To install snapshot versions (X.-SNAPSHOT) with Maven, users are required to explicitly specify the use of a snapshot repository. This is because there is no default snapshot repository associated with Maven.

This can be set either per project in the pom.xml file or project agnostic as part of a user's profile. See the Bytesafe documentation or the official Maven docs for more details.

Using Gradle with your Maven repository

Gradle is a popular alternative build automation tool for JVM-based projects that works with Maven compatible repositories.

To resolve project dependencies from the private Maven repository, the repository needs to be declared in the build.gradle file.


// repository configuration in build.gradle

repositories {
   maven {
      name = 'bytesafe'
      url 'https://{WORKSPACE}.bytesafe.dev/maven/{REGISTRY}/'
      credentials {
         username = 'bytesafe'
         password = '{ACCESS-TOKEN}'
      }
   }
}

// specify project dependencies

dependencies {
   implementation '{GROUP_ID}:{ARTIFACT_ID}:{VERSION}'
}

Enter fullscreen mode Exit fullscreen mode

Note: Users should consider storing credentials in ~/.gradle/gradle.properties file in-place of build.gradle to avoid unintended distribution of credentials.

To publish a package using Gradle, enable the maven-publish plugin and specify the target publishing repository in the build.gradle file.

// enable the maven-publish plugin
plugins {
   id 'maven-publish'
}

publishing {
   publications {
      maven(MavenPublication) {
   }
}

repositories {
   maven {
      name = 'bytesafe'
      url = 'https://{WORKSPACE}.bytesafe.dev/maven/{REGISTRY}/'
      credentials {
        username = 'bytesafe'
        password = '{ACCESS-TOKEN}'
      }
   }
}
Enter fullscreen mode Exit fullscreen mode

With these quick additions to your Gradle project, you should be able to both build and deploy your own project using a private Maven repository as well as install any required dependencies.

Want to know more about Bytesafe's Firewall for dependencies?

Secure your supply chain with private registries compatible with package managers like npm, maven and nuget. Refer to the Bytesafe documentation on package managers for more in-depth information and guides.

Enforce your security policies and automatically quarantine unwanted dependencies. Avoid compromised new versions with a set delay before newly published versions are allowed in your organization.

Want to try it for yourself? Sign up for Bytesafe and get started today - no strings attached.

Discussion (0)