PkgRadar

Coverage maven

Maven repo1.maven.org

Java / JVM, including Android. Both `.jar` and Android `.aar` releases are fetched and walked — an `.aar`'s nested `classes.jar` is unpacked and inspected too. Releases get indicator-filename, native-blob, JNDI/Log4Shell-family class-path, and manifest/AndroidManifest signals; when a source jar is present it gets full static analysis (Runtime.exec, reflection-based exec bypass, URLClassLoader.defineClass, untrusted deserialization, static-init side effects).

Packages scanned

164.5K

High risk

89

Review

6,674

High-severity findings

32

Last scan

28m ago

Install-time attack surface

static initializer blocks (run on first class load) + Maven plugin code (runs in the build JVM)

Supported lockfile formats

Spec format

pkgradar gate --ecosystem maven com.fasterxml.jackson.core:[email protected]

Recent activity

The corpus-wide release feed lives on /campaigns. A per-ecosystem release feed for Maven is on the roadmap — the stats above are filtered to this ecosystem in the meantime.

Other ecosystems