Java & Kotlin - Gradle, Maven and Bazel

  • 12 January 2023
  • 0 replies
  • 1433 views

Debricked currently supports tracking Java/Kotlin dependencies via:

  • Gradle, using build.gradle and build.gradle.kts files

  • Maven, using pom.xml files

  • Bazel, using WORKSPACE files

  • File fingerprinting, to find dependencies not defined in manifest-files

Gradle

For the fastest and most accurate results, a file containing the resolved dependency tree, .gradle.debricked.lock has to be created prior to scanning.

This can be done using the High Performance Scans technology in our Debricked CLI. By running the resolve command, the CLI automatically detects all manifest files without the recommended gradle lock files and generates the files as needed.


It is also possible to generate the recommended file(s) manually, by running the Gradle dependencies command and storing the output in a gradle.debricked.lock file.

gradle dependencies > gradle.debricked.lock

Every gradle.debricked.lock file must be put in the same directory as the corresponding build.gradle (recommended) or build.gradle.kts.

 

Maven

For the fastest and most accurate results, a file containing the resolved dependency tree, .maven.debricked.lock, has to be created prior to scanning.

This can be done using the High Performance Scans technology in our Debricked CLI. By running the resolve command, the CLI automatically detects all manifest files without the recommended maven lock files and generates the files as needed.


It is also possible to generate the recommended file(s) manually, by running the Maven dependency:tree plugin and storing the output in a maven.debricked.lock file.

mvn dependency:tree -DoutputFile=maven.debricked.lock -DoutputType=tgf

Every maven.debricked.lock file must be put in the same directory as the corresponding pom.xml.

 

Bazel

We also support Java projects using Bazel, where we scan the WORKSPACE file format in addition to any Java file formats being used.
In order to guarantee fast and accurate scans, we recommend using rules_jvm_external to generate an install.json file where all indirect dependencies are resolved and pinned in a lock file. For more information on how to set this up in your project, please refer to the bazel blog.

 

File fingerprinting

Debricked supports scanning for Java dependencies not defined in manifest-files through file fingerprinting. Our database contains the hashes of .jar and .war files as well as their unpacked contents for all packages in the largest maven repository. This is used when comparing with the contents of your application, to ensure as accurate matches as possible.

For more information on the file fingerprinting feature and how to get set up, see file fingerprinting.

 

 

Supported file formats and features:

Language

Package Manager

Supported File Formats

Root dependencies 

Indirect dependencies

Dependency trees

Security Scanning

License Scanning

Root Fix

Java

Bazel

WORKSPACE

install.json

Gradle

build.gradle

build.gradle.kts

Maven

pom.xml

- fingerprinted files*    

 

*for more information on what files we match on, see file fingerprinting.

 

Have a look at the overview of all supported languages.


0 replies

Be the first to reply!

Reply