All maven artifacts have known repository URLs Package
Each Maven package listed in an SBOM must specify the repository URL that it comes from, and that URL must be present in the list of known and permitted Maven repositories. If no URL is specified, the package is assumed to come from Maven Central.
Rules Included
Known Repository URLs
Each Maven package listed in an SBOM must specify the repository URL that it comes from, and that URL must be present in the list of known and permitted Maven repositories. If no URL is specified, the package is assumed to come from Maven Central.
Solution: The Maven artifact originates from an untrusted or unpermitted repository. To resolve this, ensure the dependency is sourced from a repository defined in the 'allowed_maven_repositories' list in your policy configuration. If the repository is internal, add its URL to the allowed list in rule_data.
-
Rule type: FAILURE
-
FAILURE message:
%s -
Code:
maven_repos.deny_unpermitted_urls -
Effective from:
2026-05-10T00:00:00Z
Policy data validation
Ensures the required allowed_maven_repositories list is provided.
Solution: Ensure that 'allowed_maven_repositories' is defined in the rule_data provided to the policy, and that it contains a list of authorized repository URLs.
-
Rule type: FAILURE
-
FAILURE message:
Policy data is missing the required "%s" list -
Code:
maven_repos.policy_data_missing