Java / Kotlin

Introduction

JFrog Xray provides security and compliance analysis for Java / Kotlin applications throughout the software development lifecycle. This page describes the supported scan contexts, package managers, capabilities, and dependency analysis available for Java.

Capabilities

Capability	Source Code Scanning	Binary Scanning
Vulnerability Matching (CVEs)	✅	✅
License Detection	✅	✅
Malicious Package Detection	✅	✅
Operational Risk	✅	✅
Smart Remediation	🔜	🔜

Source code scanning analyzes your project's dependency manifest files to identify components and their vulnerabilities. This is used by JFrog CLI (jf audit), Frogbot, IDE integrations, and CI pipelines.

Supported Files

Package Manager	Supported Files
Maven	`pom.xml`
Gradle	❌ Not supported
Ivy	❌ Not supported

Dependency Graph

Package Manager	Dependency Graph
Maven	✅ Full (parent-child relationships)