diff --git a/buildSrc/src/main/groovy/corda.common-publishing.gradle b/buildSrc/src/main/groovy/corda.common-publishing.gradle
index 20b2d4be8d..a7bb600ab7 100644
--- a/buildSrc/src/main/groovy/corda.common-publishing.gradle
+++ b/buildSrc/src/main/groovy/corda.common-publishing.gradle
@@ -36,6 +36,40 @@ if (System.getenv('CORDA_ARTIFACTORY_USERNAME') != null || project.hasProperty('
                 }
             }
         }
+
+        // Publish the default jar for fat-jar sub-modules that do not currently publish their dependencies.
+        // These are not for external consumption.
+        // We must generate a jar which has a pom.xml with a full dependency list for vulnerability tools to evaluate.
+        // Only do this for builds done within R3.
+        def projectDict = [
+                "testing:testserver": "corda-testserver",
+                "tools:explorer": "corda-tools-explorer",
+                "opentelemetry:opentelemetry-driver": "corda-opentelemetry-driver",
+                "tools:network-builder": "corda-tools-network-builder",
+                "node:capsule": "corda"
+        ]
+        def lookupName = "${project.parent.name}:${project.name}".toString()
+
+        if (projectDict.containsKey(lookupName)) {
+            pluginManager.apply('maven-publish')
+            def jarName = projectDict[lookupName]
+            publishing {
+                publications {
+                    "$jarName-jarPublication"(MavenPublication) {
+                        from components.java
+                        artifactId = "$jarName-thin-with-deps"
+                        pom {
+                            name = "$jarName-thin-with-deps"
+                            description = "Corda ${project.name} for vulnerability checking."
+                        }
+                    }
+                }
+            }
+
+            jar {
+                archiveClassifier = 'R3-internal'
+            }
+        }
     }
 } else {
     logger.info("External user - using standard maven publishing")
diff --git a/node/capsule/build.gradle b/node/capsule/build.gradle
index b18c9a2523..daeabb9ef3 100644
--- a/node/capsule/build.gradle
+++ b/node/capsule/build.gradle
@@ -21,6 +21,9 @@ dependencies {
     capsuleRuntime "com.typesafe:config:$typesafe_config_version"
     compileOnly "com.typesafe:config:$typesafe_config_version"
     testRuntimeOnly "com.typesafe:config:$typesafe_config_version"
+    
+    // 'implementation' for the benefit of the security-scannable POM file
+    implementation "com.typesafe:config:$typesafe_config_version"
 
     // Capsule is a library for building independently executable fat JARs.
     // We only need this dependency to compile our Caplet against.
@@ -31,7 +34,7 @@ dependencies {
     testImplementation "junit:junit:$junit_version"
 }
 
-jar.enabled = false
+jar.enabled = true
 
 capsule {
     version capsule_version
diff --git a/opentelemetry/opentelemetry-driver/build.gradle b/opentelemetry/opentelemetry-driver/build.gradle
index b8fc145051..9911f8a5c7 100644
--- a/opentelemetry/opentelemetry-driver/build.gradle
+++ b/opentelemetry/opentelemetry-driver/build.gradle
@@ -18,7 +18,7 @@ shadowJar {
 }
 
 jar {
-    enabled = false
+    enabled = true
 }
 
 publishing {
@@ -26,7 +26,6 @@ publishing {
         shadow(MavenPublication) { publication ->
             artifactId 'corda-opentelemetry-driver'
             artifact shadowJar
-            from components.java
         }
     }
 }
diff --git a/tools/network-builder/build.gradle b/tools/network-builder/build.gradle
index 3a22036a10..9af3b4118e 100644
--- a/tools/network-builder/build.gradle
+++ b/tools/network-builder/build.gradle
@@ -88,7 +88,7 @@ tasks.register('buildNetworkBuilder') {
 }
 
 jar {
-    enabled = false
+    enabled = true
 }
 
 publishing {