diff --git a/build.gradle b/build.gradle
index b4f3e793ab..d5f3b380ac 100644
--- a/build.gradle
+++ b/build.gradle
@@ -755,12 +755,53 @@ artifactory {
         defaults {
             // Root project applies the plugin (for this block) but does not need to be published
             if (project != rootProject) {
-                publications(project.extensions.publish.name())
+                def pubNames = project.publishing.publications*.name
+                publications(pubNames.toArray(new String[0]))
             }
         }
     }
 }
 
+// Publish the default jar for fat-jar sub-modules that do not currently publish their dependencies.
+// These are not for external consumption.
+// We must generate a jar which has a pom.xml with a full dependency list for vulnerability tools to evaluate.
+subprojects {
+    afterEvaluate { project ->
+        // map project to actual jar name, since some sub-project jars are not
+        // published with the same name as their sub-project.
+        def projectDict = [
+                "testing:testserver": "corda-testserver",
+                "tools:explorer": "corda-tools-explorer",
+                "opentelemetry:opentelemetry-driver": "corda-opentelemetry-driver",
+                "tools:network-builder": "corda-tools-network-builder",
+                "node:capsule": "corda"
+        ]
+        def lookupName = "${project.parent.name}:${project.name}".toString()
+
+        if (projectDict.containsKey(lookupName)) {
+            apply plugin: 'maven-publish'
+            def jarName = projectDict[lookupName]
+            publishing {
+                publications {
+                    "$jarName-jarPublication"(MavenPublication) {
+                        from components.java
+                        artifactId = "$jarName-thin-with-deps"
+                        pom {
+                            name = "$jarName-thin-with-deps"
+                            description = "Corda ${project.name} for vulnerability checking."
+                        }
+                    }
+                }
+            }
+
+            jar {
+                archiveClassifier = 'R3-internal'
+            }
+        }
+    }
+}
+
+
 tasks.register('generateApi', net.corda.plugins.apiscanner.GenerateApi) {
     baseName = "api-corda"
 }
diff --git a/node/capsule/build.gradle b/node/capsule/build.gradle
index 2eb546be0d..95bc656024 100644
--- a/node/capsule/build.gradle
+++ b/node/capsule/build.gradle
@@ -20,6 +20,9 @@ dependencies {
     capsuleRuntime "com.typesafe:config:$typesafe_config_version"
     compileOnly "com.typesafe:config:$typesafe_config_version"
     testRuntimeOnly "com.typesafe:config:$typesafe_config_version"
+    
+    // 'implementation' for the benefit of the snyk-scanner POM file
+    implementation "com.typesafe:config:$typesafe_config_version"
 
     // Capsule is a library for building independently executable fat JARs.
     // We only need this dependency to compile our Caplet against.
@@ -30,7 +33,7 @@ dependencies {
     testImplementation "junit:junit:$junit_version"
 }
 
-jar.enabled = false
+jar.enabled = true
 
 capsule {
     version capsule_version
diff --git a/opentelemetry/opentelemetry-driver/build.gradle b/opentelemetry/opentelemetry-driver/build.gradle
index 1b7e768696..d6cb4ebf0d 100644
--- a/opentelemetry/opentelemetry-driver/build.gradle
+++ b/opentelemetry/opentelemetry-driver/build.gradle
@@ -30,7 +30,7 @@ artifacts {
 }
 
 jar {
-    enabled = false
+    enabled = true
 }
 
 publish {
diff --git a/tools/network-builder/build.gradle b/tools/network-builder/build.gradle
index 51ec4d6339..72c80ba8ea 100644
--- a/tools/network-builder/build.gradle
+++ b/tools/network-builder/build.gradle
@@ -88,7 +88,7 @@ artifacts {
 }
 
 jar {
-    enabled = false
+    enabled = true
 }
 
 publish {