Maven Heaven

The Apache Maven Central repository is the center of the Java development world, where all open source dependencies are fetched from, hosting over 3 million Java packages. Java JAR origin metadata and licensing documentation is declared by the authors as part of a POM metadata, but this can be misleading or incorrect. There are also thousands of copies of Java packages, such as Log4J embedded (or shaded) in other JARs, and these go undetected by most tools. Accurate Java origin and license metadata is essential to safely automate the consumption of Java packages in the software supply chain.

Maven Heaven fixes this problem in multiple steps: it will scan, review, curate and fix the metadata of the most popular Java packages. The data will be released under an open license, and the project will work with the Maven community to provide it as part of the Maven services and repo, allowing to cross-check and report code borrowing and reuse between Java projects. The team will deploy an AboutCode toolchain as a service for all Java authors to review, validate and enrich metadata.

This project is a collaboration between AboutCode and Log4J maintainers to help uncover issues, and help upstream authors fix these issues. It should allow Maven packages to be shared with better, more accurate origin and license metadata, possibly right at creation time. The increased level of trust in Maven Java JARS will make it easier to consume more Java packages safely.