Documentation
SIG Academy Sphere Community Contact support Sigrid website Contribute to docs Sign in

Using Open Source Health in Sigrid On-Premise for Maven-based projects

This documentation covers on-premise Sigrid. It is not applicable for cloud-based Sigrid.

Scope of this page

This page specifically describes how to use Open Source Health for Maven-based projects in a Sigrid On-Premise environment.

Other ecosystems (such as Gradle, NPM, Yarn, or Poetry) use different mechanisms to determine dependencies. For those ecosystems, refer to the general Open Source Health upload instructions. The Maven-specific limitation described here does not automatically apply to non-Maven dependency managers.

Using Open Source Health for Maven projects on Sigrid On-Premise

Background

For Open Source Health (OSH), Sigrid needs to determine which open source dependencies are used by your system and which versions are involved. For Maven-based projects, this normally happens by resolving dependencies during analysis.

In Sigrid SaaS, this resolution can rely on public Maven repositories.
In Sigrid On-Premise deployments, this is usually not possible because the environment typically runs isolated from the internet. As a result, Maven dependency analysis that requires external connectivity cannot be performed at analysis time.

To address this limitation, Sigrid supports the use of Maven dependency tree files. This approach is required in most on-premise setups.

Maven dependency tree files

A Maven dependency tree file (maven.tree) contains a fully resolved list of dependencies for a project. The file is generated by Maven itself and can resolve dependencies using your internal package repository (for example Nexus or Artifactory), without requiring access to the public internet.

Sigrid can use this file to determine Maven dependencies for OSH analysis, without requiring online dependency resolution.

Important
For Sigrid On-Premise deployments, Maven OSH analysis is supported only via dependency tree files.

This approach is also described in the general OSH documentation

Creating the maven.tree file

The dependency tree file must be created before running the Sigrid analysis. This is typically done as an additional step in your CI/CD pipeline.

Example command:

mvn dependency:tree -DoutputType=text -DoutputFile=maven.tree -DoutputEncoding=UTF-8

This command resolves dependencies using your configured Maven repositories and writes the dependency tree to maven.tree in the project workspace. Once the maven.tree file is present in the workspace, it will automatically be picked up by the Sigrid analyzer when publishing results.

You can either:

  1. Add a dedicated pipeline step before running Sigrid, or
  2. Include the dependency tree generation directly in the same job that runs sigrid-multi-analyzer

Example pipeline job:

sigrid-publish:
  image:
    name: "softwareimprovementgroup/sigrid-multi-analyzer:$SIGRID_VERSION"
  variables:
    SYSTEM: "$CI_PROJECT_NAME"
    SIGRID_CA_CERT: "my_sigrid_cert.pem"
    AWS_CA_BUNDLE: "my_s3bucket_cert.pem"
  script:
    - echo $MYSIGRID_CERT > $SIGRID_CA_CERT
    - echo $MY_S3_CERT > $AWS_CA_BUNDLE
    - mvn dependency:tree -DoutputType=text -DoutputFile=maven.tree -DoutputEncoding=UTF-8
    - run-analyzers --publish

As long as the maven.tree file is present when run-analyzers --publish is executed, Sigrid will use it to determine Maven dependencies for Open Source Health.

Contact and support

Feel free to contact SIG’s support department for any questions or issues you may have after reading this document, or when using Sigrid or Sigrid-Multi-Analyzer. Users in Europe can also contact us by phone at +31 20 314 0953.

Terms of use Privacy statement © 2025 Software Improvement Group

On this page