save checkpoint
This commit is contained in:
master
@@ -0,0 +1,34 @@
|
||||
# Java Lockfile Collector and CLI Validator
|
||||
|
||||
## Module
|
||||
Scanner
|
||||
|
||||
## Status
|
||||
VERIFIED
|
||||
|
||||
## Description
|
||||
Collects and validates Java dependency lockfiles (Gradle lockfile, Maven dependency:tree output) providing a CLI-accessible integrity check for pinned dependency versions.
|
||||
|
||||
## Implementation Details
|
||||
- **Lockfile Collection**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/JavaLockFileCollector.cs` - `JavaLockFileCollector` collects and validates Gradle lockfiles and Maven dependency:tree outputs for pinned dependency versions
|
||||
- **Language Analyzer Integration**:
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/JavaLanguageAnalyzer.cs` - `JavaLanguageAnalyzer` integrates lockfile collection into the analysis pipeline
|
||||
|
||||
## E2E Test Plan
|
||||
- [ ] Scan a container image with a Gradle project containing `gradle.lockfile` and verify pinned dependency versions are collected
|
||||
- [ ] Scan a Maven project with `dependency:tree` output and verify the lockfile collector parses resolved versions
|
||||
- [ ] Verify lockfile integrity validation detects tampered or inconsistent lockfile entries
|
||||
- [ ] Verify lockfile-collected versions take precedence over declared versions when both are available
|
||||
- [ ] Verify missing lockfile scenarios are handled gracefully with appropriate warnings
|
||||
|
||||
---
|
||||
|
||||
## Verification
|
||||
|
||||
| Check | Result |
|
||||
|-------|--------|
|
||||
| Tier 0 - Source files exist | PASS |
|
||||
| Tier 1 - Build + code review | PASS |
|
||||
| Tier 2 - Integration tests | PASS |
|
||||
| Verified | 2026-02-13T18:10:00Z |
|
||||
Reference in New Issue
Block a user