stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
9ca2de05dff9c7db11eb49df6d4e47bbfe7a99f6
git.stella-ops.org/docs/features/unchecked/scanner/java-lockfile-collector-and-cli-validator.md

1.3 KiB
Raw Blame History

Java Lockfile Collector and CLI Validator

Module

Scanner

Status

IMPLEMENTED

Description

Collects and validates Java dependency lockfiles (Gradle lockfile, Maven dependency:tree output) providing a CLI-accessible integrity check for pinned dependency versions.

Implementation Details

  • Lockfile Collection:
    • src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/Internal/JavaLockFileCollector.cs - JavaLockFileCollector collects and validates Gradle lockfiles and Maven dependency:tree outputs for pinned dependency versions
  • Language Analyzer Integration:
    • src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/JavaLanguageAnalyzer.cs - JavaLanguageAnalyzer integrates lockfile collection into the analysis pipeline

E2E Test Plan

  • Scan a container image with a Gradle project containing gradle.lockfile and verify pinned dependency versions are collected
  • Scan a Maven project with dependency:tree output and verify the lockfile collector parses resolved versions
  • Verify lockfile integrity validation detects tampered or inconsistent lockfile entries
  • Verify lockfile-collected versions take precedence over declared versions when both are available
  • Verify missing lockfile scenarios are handled gracefully with appropriate warnings