$ mvn --encrypt-master-password
Master password: *********
{encrypted_master_password}Store this in ~/.m2/settings-security.xml
<settingsSecurity>
<master>{encrypted_master_password}</master>
</settingsSecurity>Now encrypt your server password:
mvn --encrypt-password
Master password: *********
{encrypted_password}Store this in your settings.xml file as follows:
<server>
<id>my.server</id>
<username>smaple</username>
<password>{encrypted_password}</password>
</server>Never enter passwords in plain text on the CLI:
$ mvn --encrypt-master-password P@ssw0rd
$ mvn --encrypt-password P@ssw0rdUse HTTPS to connect to remote Maven repositories, to avoid MITM attacks.
Ensure your <repositories> and pluginRepositories> use https in their URLs.
Verify the health of your third-party libraries by confirming they have:
-
✓ A team of committers
-
✓ Well documented security policies
-
✓ Regular updates and releases
Do not use Maven dependencies with known vulnerabilities.
Use a tool like Snyk to:
-
✓ Test your app for known vulnerabilities.
-
✓ Automatically fix issues that exist.
-
✓ Continuously monitor for new vulnerabilities
As part of validating the authenticity of your dependencies, test their checksums using the -C flag on Maven commands:
$ mvn -C install
// fail if checksums don’t match
$ mvn -c install
// warn if checksums don’t matchUse Maven roles to state who should be contacted for security issues.
<developers>
<developer>
<id>grander</id>
<name>Danny Grander</name>
<email>security@your_org.com</email>
<roles>
<role>security</role>
</roles>
<developer>
<developers>Try to stay on the latest releases of Maven. Check the download page for the latest version.
Avoid Maven 3.0.4 as it ignores certificates for HTTPS connections.
Monitor the security bulletins the Apache Maven team publish on the Maven site.