You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This enables the use of the --include-provenance flag for the test and sbom commands on maven projects. --include-provenance will result in the DepGraph produced by snyk test including a purl entry for the packages, which if artifacts were present in the local repository will contain a checksum qualifier. This can be visibly observed via the --print-graph option. e.g.:
For correctly testing any maven project, it will first need to have the artifacts present in the local repository. Either via mvn clean install -DskipTests or similar commands.
Build cliv2 locally via npm install && npm run build-cli:prod, then make clean pre-build build.
I have run into various issues trying to build this locally, requiring some local changes and re-running make build.
This builds a release at /path/to/cli/binary-releases/snyk-${arch}, e.g. ~/code/cli/binary-releases/snyk-macos-arm64
/path/to/cli/binary-releases/snyk-macos-arm64 test --file=pom.xml --include-provenance --print-graph
/path/to/cli/binary-releases/snyk-macos-arm64 sbom --format=cyclonedx1.6+json --include-provenance
What's the product update that needs to be communicated to CLI users?
test(maven): A new experimental flag --include-provenance that will produce DepGraphs containing purls with checksum qualifiers for each package. Primarily to be used via --print-graph, not yet used in the main testing flow.
sbom(maven): A new experimental flag --include-provenance that will produce an SBOM with checksum qualifiers in each purl.
Risk assessment Low
Optional flag, no negative impact on snyk test or snyk sbom commands:
❯ ~/code/cli/binary-releases/snyk-macos-arm64 test --file=pom.xml --include-provenance
Testing /Users/calumharrison/IdeaProjects/snapshot-child...
Organization: randd-enablement-template
Package manager: maven
Target file: pom.xml
Project name: io.snyk.os-managed:snapshot-child
Open source: no
Project path: /Users/calumharrison/IdeaProjects/snapshot-child
Licenses: enabled
✔ Tested 7 dependencies for known issues, no vulnerable paths found.
Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.
Any background context you want to provide?
In order to support more accurate package provenance we're going to add support to the package issues api for checksum qualifiers on the purl in the request. Beginning with the Maven ecosystem, this will use the provided checksum to check whether the dependency is an exact match to the one we have recorded, or if there is some mismatch. API responses can then be adjusted accordinly
Please make changes to snyk help text in Gitbook. Changes will be automatically synchronised to Snyk CLI as a scheduled PR.
For more information, see: help/README.md.
⚠️
Since the CLI is unifying on a standard and improved tooling, we're starting to migrate old-style imports and exports to ES6 ones.
A file you've modified is using either module.exports or require(). If you can, please update them to ES6 import syntax and export syntax.
Files found:
Warnings ⚠️
Please make changes to snyk help text in Gitbook. Changes will be automatically synchronised to Snyk CLI as a scheduled PR. For more information, see: help/README.md.
⚠️
Since the CLI is unifying on a standard and improved tooling, we're starting to migrate old-style imports and exports to ES6 ones. A file you've modified is using either module.exports or require(). If you can, please update them to ES6 import syntax and export syntax. Files found:
src/cli/args.ts contains a few comments like this, so I'll be leaving that for cli maintainers:
// By passing `-d` to the CLI, we enable the debugging output.
// It needs to happen BEFORE any of the `debug(namespace)` calls needed to create loggers.
// Therefore, the code used by the CLI should create the loggers in a lazy fashion
// or be `require`d after this code.
...
// Late require, see the note re "debug" option above.
calhar-snyk
changed the title
Feat/osm 3052 support maven artifact fingerprinting
feat: Add experimental flag --include-provenance to support package provenance work
Oct 17, 2025
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
calhar-snyk
force-pushed
the
feat/OSM-3052-support-maven-artifact-fingerprinting
branch
7 times, most recently
from
Pull Request Submission Checklist
are release-note ready, emphasizing
what was changed, not how.
What does this PR do?
This updates
snyk-mvn-pluginand introduces some new command options to enable these PRS:Additionally, updates the associated cli extensions to enable the command option for
snyk sbom:--include-provenanceinsbom createcli-extension-sbom#153--include-provenancein sbom create usingsnyk test --print-graphcli-extension-dep-graph#29This enables the use of the
--include-provenanceflag for the test and sbom commands on maven projects.--include-provenancewill result in the DepGraph produced bysnyk testincluding apurlentry for the packages, which if artifacts were present in the local repository will contain a checksum qualifier. This can be visibly observed via the--print-graphoption. e.g.:This is also available via
snyk sbomwhich will produce an sbom where thepurlalso has these qualifiers, e.g.:Where should the reviewer start?
The tests outline some of the expected behaviour, they may also wish to examine the underlying PRS:
--include-provenanceinsbom createcli-extension-sbom#153--include-provenancein sbom create usingsnyk test --print-graphcli-extension-dep-graph#29How should this be manually tested?
For correctly testing any maven project, it will first need to have the artifacts present in the local repository. Either via
mvn clean install -DskipTestsor similar commands.Build cliv2 locally via
npm install && npm run build-cli:prod, thenmake clean pre-build build.I have run into various issues trying to build this locally, requiring some local changes and re-running
make build.This builds a release at
/path/to/cli/binary-releases/snyk-${arch}, e.g. ~/code/cli/binary-releases/snyk-macos-arm64Then test projects via:
What's the product update that needs to be communicated to CLI users?
--include-provenancethat will produce DepGraphs containingpurlswithchecksumqualifiers for each package. Primarily to be used via--print-graph, not yet used in the main testing flow.--include-provenancethat will produce an SBOM withchecksumqualifiers in eachpurl.Risk assessment Low
Optional flag, no negative impact on
snyk testorsnyk sbomcommands:Any background context you want to provide?
In order to support more accurate package provenance we're going to add support to the package issues api for
checksumqualifiers on thepurlin the request. Beginning with the Maven ecosystem, this will use the provided checksum to check whether the dependency is an exact match to the one we have recorded, or if there is some mismatch. API responses can then be adjusted accordinlyWhat are the relevant tickets?