Dependency-Track Adds Maven/pom.xml Support as 9th Ecosystem, Expanding Java Vulnerability Scanning

Dependency-Track, an open-source software composition analysis (SCA) platform, has expanded its vulnerability scanning capabilities to include the Maven ecosystem. This marks the ninth package manager supported by the project, integrating Java projects into its automated security analysis pipeline. The new feature enables the parsing of `pom.xml` files, fetching version metadata from Maven Central, and scanning dependencies for known vulnerabilities via the OSV.dev database.

The implementation introduces a new `MavenParser` built with the `quick-xml` library, designed to handle XML streaming, property substitution, and dependency scope awareness—automatically marking `test` and `provided` scopes as development dependencies. A corresponding `MavenCentralRegistry` component employs a hybrid strategy, fetching metadata from `metadata.xml` files and directly parsing project POMs to resolve artifact versions. The feature is wired end-to-end, including configuration, caching, and full integration with the OSV advisory service for vulnerability matching.

This addition significantly broadens Dependency-Track's reach within the enterprise software development landscape, where Java and Maven remain foundational. By bringing Java projects under the same continuous security scrutiny as ecosystems like Node.js, Python, and Go, the platform closes a critical gap in dependency management for a vast number of organizations. The release follows an adversarial review process, with fixes applied to position tracking, configuration propagation, and prerelease version detection to ensure robustness.