Maven Anomalous Dependency

A malicious dependency often shows certain patterns that could be used to heuristically warn of potential misbehaviour.

Project metadata, like lack of license, author without a valid email, no project homepage, or no project repository, could raise suspicions on the intentions of the artifact.

When some of these hints are found for a new artifact in the dependencies graph for your project, this could raise suspicions demanding a careful review of the target artifact.

An artifact with a source repository not containing the same software as the contents of the artifact in the Maven repository, and with not enough metadata giving information about the author of the artifact may suggest that the artifact cannot be trusted without further analysis.

Put artifacts reported by this rule in 'quarantine', and proceed to review them:

If you consider that the package is not malicious, you may then 'mute' the misconfiguration so this rule will not report for the artifact in following analyses.