Maven

OrbitalReg's Maven adapter implements the Maven 2 / Maven 3 repository layout, including snapshot resolution, metadata generation, and checksum verification.

Repository types

Local — uploads via mvn deploy, downloads via mvn install or any HTTP client.
Remote — proxies and caches an upstream Maven repo (Maven Central, Sonatype OSS, etc.). The first request to each artifact fetches and caches; subsequent requests serve from local storage.
Virtual — federated view of any number of local + remote repos. Resolves coordinates against each member in declared order.

Endpoint shape

https://orbitalreg.example.com/maven/<project-slug>/<repo-slug>/

For example, deploying:

bash

mvn deploy:deploy-file \
  -Dfile=target/my-lib-1.0.0.jar \
  -DgroupId=com.example \
  -DartifactId=my-lib \
  -Dversion=1.0.0 \
  -Dpackaging=jar \
  -DrepositoryId=orbitalreg \
  -Durl=https://orbitalreg.example.com/maven/acme/internal-libs

writes to repo_id = (acme, internal-libs) and stores under the path com/example/my-lib/1.0.0/my-lib-1.0.0.jar.

Settings.xml

xml

<settings>
  <servers>
    <server>
      <id>orbitalreg</id>
      <username>$ORBITALREG_USER</username>
      <password>$ORBITALREG_TOKEN</password>
    </server>
  </servers>
  <profiles>
    <profile>
      <id>orbitalreg-mirror</id>
      <repositories>
        <repository>
          <id>orbitalreg</id>
          <url>https://orbitalreg.example.com/maven/acme/all-libs</url>
        </repository>
      </repositories>
    </profile>
  </profiles>
</settings>

Snapshot resolution

The Maven adapter fully supports -SNAPSHOT versions:

Each timestamped snapshot is preserved under its full coordinate
maven-metadata.xml is regenerated atomically on every push
Cleanup of old snapshots is policy-driven via retention rules

A typical retention rule for snapshots:

yaml

name: snapshots-keep-7d
rules:
  - keep_by_age:
      max_age_days: 7
      match_path_regex: "-SNAPSHOT/"

Detection

Maven artifacts are scanned by Trivy, Grype, OSV.dev, and Syft in parallel on upload. Findings tie back to the artifact via scan_findings.artifact_id. Both jar contents (transitive deps via pom.xml) and the embedded manifest are inspected.

Promotion

A typical CI flow has three Maven repos per project:

acme/maven-snapshots   ← `mvn deploy` from feature branches
acme/maven-staging     ← `mvn deploy` from main, post-CI
acme/maven-releases    ← promoted from staging once CVE/license gates pass

The promotion gate is the same one described in Core concepts → Promotion.

Signing

Sigstore keyless signatures are honoured via the Sigstore trust policies mechanism. CMS / PGP / RSA signature blocks are verified against the per-repo trust bundle.

Migration from Sonatype Nexus

The endpoint shape (/maven/<project>/<repo>/) is structurally compatible with Nexus's /repository/<repo>/ shape. A simple nginx rewrite covers most projects:

nginx

location /repository/ {
  rewrite ^/repository/(.*)$ /maven/acme/$1 break;
  proxy_pass https://orbitalreg.example.com;
}

Run that on the Nexus host during cutover and you can move clients in batches without forcing a settings.xml update.

Maven ​

Repository types ​

Endpoint shape ​

Settings.xml ​

Snapshot resolution ​

Detection ​

Promotion ​

Signing ​

Migration from Sonatype Nexus ​