Java Maven Dependency Security Audit
Scan pom.xml for CVEs without installing OWASP Dependency-Check. Paste your manifest and get a fixed pom.xml with safe dependency versions. Variable resolution included.
How to scan Java dependencies
Paste your pom.xml into PackageFix. The tool queries the OSV vulnerability database live and returns:
- CVE table with severity badges (CRITICAL, HIGH, MEDIUM, LOW)
- CISA KEV flags — actively exploited packages highlighted in red
- Side-by-side diff: your versions vs fixed versions
- Download fixed pom.xml + changelog as .zip
- Renovate config + GitHub Actions workflow template
Scan your dependencies now — paste your manifest, get a fixed version back in seconds.
Open PackageFix →No signup · No CLI · No GitHub connection · Runs 100% in your browser
Frequently Asked Questions
How do I scan Java dependencies for CVEs?
Paste your pom.xml into PackageFix. It queries the OSV vulnerability database live and returns a CVE table with fix versions.
What Java packages have the most CVEs?
Check the PackageFix fix guides for the most commonly CVE-flagged Java packages.
Does PackageFix support Java lockfiles?
Yes. Drop your lockfile alongside pom.xml for full transitive dependency scanning.
Is PackageFix free?
Yes — completely free, MIT licensed, open source.