# Java Lockfile Collector and CLI Validator

## Module
Scanner

## Status
VERIFIED

## Description
Collects and validates Java dependency lockfiles (Gradle lockfile, Maven dependency:tree output) providing a CLI-accessible integrity check for pinned dependency versions.

## Implementation Details
- **Lockfile Collection**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/JavaLockFileCollector.cs` - `JavaLockFileCollector` collects and validates Gradle lockfiles and Maven dependency:tree outputs for pinned dependency versions
- **Language Analyzer Integration**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/JavaLanguageAnalyzer.cs` - `JavaLanguageAnalyzer` integrates lockfile collection into the analysis pipeline

## E2E Test Plan
- [ ] Scan a container image with a Gradle project containing `gradle.lockfile` and verify pinned dependency versions are collected
- [ ] Scan a Maven project with `dependency:tree` output and verify the lockfile collector parses resolved versions
- [ ] Verify lockfile integrity validation detects tampered or inconsistent lockfile entries
- [ ] Verify lockfile-collected versions take precedence over declared versions when both are available
- [ ] Verify missing lockfile scenarios are handled gracefully with appropriate warnings

---

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |