WebsitePricingBlog

Java & Kotlin - Gradle, Maven, Bazel

See a breakdown of the file formats and features supported in Java/Kotlin.

Debricked currently supports tracking Java or Kotlin dependencies via:

  • Gradle (using build.gradle and build.gradle.kts files)

  • Maven (using pom.xml files)

  • Bazel (using WORKSPACE and install.json files)

  • File fingerprinting to detect dependencies not specified in manifest files

Gradle

To achieve the fastest and most accurate results, create a file containing the resolved dependency tree named .gradle.debricked.lock before scanning.

This can be accomplished using the High Performance Scans technology in Debricked CLI. By executing the resolve command, the CLI automatically identifies all manifest files that lack the recommended Gradle lock files and generates them as needed.

It is also possible to create the recommended file(s) manually by running the Gradle dependencies command and saving the output in a gradle.debricked.lock file.

gradle dependencies > gradle.debricked.lock

Every gradle.debricked.lock file should be placed in the same directory as its corresponding build.gradle or build.gradle.kts file.

Maven

To achieve the fastest and most accurate results, create a file containing the resolved dependency tree named .maven.debricked.lock before scanning.

This can be accomplished using the High Performance Scans technology in our Debricked CLI. By executing the resolve command, the CLI automatically identifies all manifest files that lack the recommended maven lock files and generates them as needed.

It is possible to manually generate the recommended file(s) by running the Maven dependency:tree plugin and saving the output to a maven.debricked.lock file.

mvn dependency:tree -DoutputFile=maven.debricked.lock -DoutputType=tgf

Every maven.debricked.lock file should be placed in the same directory as the corresponding pom.xml file.

Bazel

Debricked supports Java projects that utilize Bazel by scanning the WORKSPACE file format along with any Java file formats in use. To ensure fast and accurate scans, Debricked recommends utilizing rules_jvm_external to generate an install.json file, which resolves and pins all indirect dependencies in a lock file.

For more detailed instructions on setting this up in your project, see Bazel blog.

File fingerprinting

Debricked supports scanning for Java dependencies not defined in manifest-files through file fingerprinting. Our database contains the hashes of .jar and .war files as well as their unpacked contents for all packages in the largest maven repository. This is used when comparing with the contents of your application, to ensure as accurate matches as possible.

For more information on file fingerprinting and how to set it up, see file fingerprinting.

Supported file formats and features

Package Manager
Supported File Formats
Root dependencies
Indirect dependencies
Dependency trees
Security Scanning
License Scanning
Root Fix
Pull Request
Vulnerable Functionality
High Performance Scan

Gradle

build.gradle

Gradle

build.gradle.kts

Maven

pom.xml

Bazel

WORKSPACE

Bazel

install.json

-

fingerprinted files (.jar, .war, pom.xml and more*)

*When building the knowledge base, the files are downloaded, unpacked and fingerprints are created for all file contents, except for certain excluded patterns. The fingerprints are created for the contents of each file. For example, Debricked matches .dll files used in C# and .class files found within .jar files from Java, among others.

Last updated

Was this helpful?