Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
use "dependency management" feature of maven
See original GitHub issueCurrent Behavior
Currently you’re using maven to track the dependencies of dependency-track however maven doesn’t have a concept of lockfiles to pin the versions of transitive dependencies.
Even if I can see the transitive versions via the SBOM you publish each release, I should be able to track the dependencies of dependency-track for a specific tag to ensure I can build it with the same versions the release was built with
Proposed Behavior
The “dependency management” feature is as far as I can tell the closest to lockfiles that maven gets https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#dependency-management
Checklist
- I have read and understand the contributing guidelines
- I have checked the existing issues for whether this enhancement was already requested
Issue Analytics
- State:
- Created 10 months ago
- Comments:7 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Ok, after discussing this I think the situation is that maven is the source of truth for artifacts and their checksums. Maven doesn’t really have a concept of commiting a lockfile of those checksums to the repo. But every release comes with the SBOM so that’s about all I’d need for most of the things I’m interested in trialing.
I’ll close this issue but there might be some things that can be adopted from https://reproducible-builds.org/docs/jvm/ since maven apparently needs some configuration to build reproducible artifacts. And I’m going to have a read into https://github.com/jvm-repo-rebuild/reproducible-central
OK I understand a bit more what you are trying to achieve
Yes, you can have a scenario like this A --> B --> C. B is indeed compiled using C but C isn’t included in B’s jar. For a lot of reasons, A can depend on a method in C hence the need to download all of the dependency tree.
Not that I know of. You can have a closed world assumption by mirroring maven central internally using something like nexus and only download your dependencies from there. Since you’ll own the repository, you can enforce your own rules and have a dedicated audit process.
Since you have the tag and SBOM generated by DT for a given version. If you build the artifact from the source using maven and generate a SBOM, wouldn’t the deep comparison (dependencies’ hashes included) of DT SBOM and your generated SBOM be enough to ensure a “reproductible build” ?