Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

use "dependency management" feature of maven

See original GitHub issue

Current Behavior

Currently you’re using maven to track the dependencies of dependency-track however maven doesn’t have a concept of lockfiles to pin the versions of transitive dependencies.

Even if I can see the transitive versions via the SBOM you publish each release, I should be able to track the dependencies of dependency-track for a specific tag to ensure I can build it with the same versions the release was built with

Proposed Behavior

The “dependency management” feature is as far as I can tell the closest to lockfiles that maven gets


Issue Analytics

  • State:closed
  • Created 10 months ago
  • Comments:7 (4 by maintainers)

github_iconTop GitHub Comments

06kellyjaccommented, Nov 29, 2022

Ok, after discussing this I think the situation is that maven is the source of truth for artifacts and their checksums. Maven doesn’t really have a concept of commiting a lockfile of those checksums to the repo. But every release comes with the SBOM so that’s about all I’d need for most of the things I’m interested in trialing.

I’ll close this issue but there might be some things that can be adopted from since maven apparently needs some configuration to build reproducible artifacts. And I’m going to have a read into

syaliounecommented, Nov 29, 2022

OK I understand a bit more what you are trying to achieve

My assumption there was the only download is the top-level unirest-java@3.13.11 jar since it has already been built. Does it actually need to download all transitive jars in order to do a build?

Yes, you can have a scenario like this A --> B --> C. B is indeed compiled using C but C isn’t included in B’s jar. For a lot of reasons, A can depend on a method in C hence the need to download all of the dependency tree.

Are there transparency logs or mirrors that could notice a change to an existing artifact?

Not that I know of. You can have a closed world assumption by mirroring maven central internally using something like nexus and only download your dependencies from there. Since you’ll own the repository, you can enforce your own rules and have a dedicated audit process.

Since you have the tag and SBOM generated by DT for a given version. If you build the artifact from the source using maven and generate a SBOM, wouldn’t the deep comparison (dependencies’ hashes included) of DT SBOM and your generated SBOM be enough to ensure a “reproductible build” ?

Read more comments on GitHub >

github_iconTop Results From Across the Web

Introduction to the Dependency Mechanism - Apache Maven
Dependency management is a core feature of Maven. Managing dependencies for a single project is easy. Managing dependencies for multi-module projects and ...
Read more >
Maven dependencyManagement vs. dependencies Tags
dependencyManagement is just a declaration, and it does not really add a dependency. The declared dependencies in this section must be later ...
Read more >
pom.xml - Differences between dependencyManagement and ...
Dependency Management allows to consolidate and centralize the management of dependency versions without adding dependencies which are inherited by all children ...
Read more >
Maven - Manage Dependencies - Tutorialspoint
One of the core features of Maven is Dependency Management. Managing dependencies is a difficult task once we've to deal with multi-module projects ......
Read more >
Maven Dependency Management Only - Genuitec
Based on the concept of a project object model (POM), Maven can manage a project's dependencies, builds, reporting, and documentation from a central...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found