stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
2da76588d47b949453a0ce304bf9ee2b58f344e0
git.stella-ops.org/docs/features/checked/scanner/java-lockfile-collector-and-cli-validator.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

1.5 KiB
Raw Blame History

Java Lockfile Collector and CLI Validator

Module

Scanner

Status

VERIFIED

Description

Collects and validates Java dependency lockfiles (Gradle lockfile, Maven dependency:tree output) providing a CLI-accessible integrity check for pinned dependency versions.

Implementation Details

  • Lockfile Collection:
    • src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/JavaLockFileCollector.cs - JavaLockFileCollector collects and validates Gradle lockfiles and Maven dependency:tree outputs for pinned dependency versions
  • Language Analyzer Integration:
    • src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/JavaLanguageAnalyzer.cs - JavaLanguageAnalyzer integrates lockfile collection into the analysis pipeline

E2E Test Plan

  • Scan a container image with a Gradle project containing gradle.lockfile and verify pinned dependency versions are collected
  • Scan a Maven project with dependency:tree output and verify the lockfile collector parses resolved versions
  • Verify lockfile integrity validation detects tampered or inconsistent lockfile entries
  • Verify lockfile-collected versions take precedence over declared versions when both are available
  • Verify missing lockfile scenarios are handled gracefully with appropriate warnings

Verification

Check Result
Tier 0 - Source files exist PASS
Tier 1 - Build + code review PASS
Tier 2 - Integration tests PASS
Verified 2026-02-13T18:10:00Z