use "dependency management" feature of mavenSee original GitHub issue
Currently you’re using maven to track the dependencies of
dependency-track however maven doesn’t have a concept of lockfiles to pin the versions of transitive dependencies.
Even if I can see the transitive versions via the SBOM you publish each release, I should be able to track the dependencies of
dependency-track for a specific tag to ensure I can build it with the same versions the release was built with
The “dependency management” feature is as far as I can tell the closest to lockfiles that maven gets https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#dependency-management
- Created 10 months ago
- Comments:7 (4 by maintainers)
Top GitHub Comments
Ok, after discussing this I think the situation is that maven is the source of truth for artifacts and their checksums. Maven doesn’t really have a concept of commiting a lockfile of those checksums to the repo. But every release comes with the SBOM so that’s about all I’d need for most of the things I’m interested in trialing.
I’ll close this issue but there might be some things that can be adopted from https://reproducible-builds.org/docs/jvm/ since maven apparently needs some configuration to build reproducible artifacts. And I’m going to have a read into https://github.com/jvm-repo-rebuild/reproducible-central
OK I understand a bit more what you are trying to achieve
My assumption there was the only download is the top-level firstname.lastname@example.org jar since it has already been built. Does it actually need to download all transitive jars in order to do a build?
Yes, you can have a scenario like this A --> B --> C. B is indeed compiled using C but C isn’t included in B’s jar. For a lot of reasons, A can depend on a method in C hence the need to download all of the dependency tree.
Are there transparency logs or mirrors that could notice a change to an existing artifact?
Not that I know of. You can have a closed world assumption by mirroring maven central internally using something like nexus and only download your dependencies from there. Since you’ll own the repository, you can enforce your own rules and have a dedicated audit process.
Since you have the tag and SBOM generated by DT for a given version. If you build the artifact from the source using maven and generate a SBOM, wouldn’t the deep comparison (dependencies’ hashes included) of DT SBOM and your generated SBOM be enough to ensure a “reproductible build” ?