1.3 KiB
1.3 KiB
Java Lockfile Collector and CLI Validator
Module
Scanner
Status
IMPLEMENTED
Description
Collects and validates Java dependency lockfiles (Gradle lockfile, Maven dependency:tree output) providing a CLI-accessible integrity check for pinned dependency versions.
Implementation Details
- Lockfile Collection:
src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/JavaLockFileCollector.cs-JavaLockFileCollectorcollects and validates Gradle lockfiles and Maven dependency:tree outputs for pinned dependency versions
- Language Analyzer Integration:
src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/JavaLanguageAnalyzer.cs-JavaLanguageAnalyzerintegrates lockfile collection into the analysis pipeline
E2E Test Plan
- Scan a container image with a Gradle project containing
gradle.lockfileand verify pinned dependency versions are collected - Scan a Maven project with
dependency:treeoutput and verify the lockfile collector parses resolved versions - Verify lockfile integrity validation detects tampered or inconsistent lockfile entries
- Verify lockfile-collected versions take precedence over declared versions when both are available
- Verify missing lockfile scenarios are handled gracefully with appropriate warnings