search
WebsiteBlog

Java & Kotlin - Gradle, Maven, Bazel

This section provides a breakdown of the file formats and features supported in Java/Kotlin.

OpenText Core SCA currently supports tracking Java or Kotlin dependencies using:

  • Gradle (using build.gradle and build.gradle.kts files)

  • Maven (using pom.xml files)

  • Bazel (using WORKSPACE and install.json files)

  • File fingerprinting to detect dependencies not specified in manifest files

hashtag
Gradle

To achieve the fastest and most accurate results, create a file containing the resolved dependency tree named .gradle.debricked.lock before scanning.

This can be accomplished using the High Performance Scans technology in OpenText Core SCA CLI. If you execute the resolve command, the CLI automatically identifies all manifest files that lack the recommended Gradle lock files and generates them as needed.

You can create the recommended file(s) manually by running the Gradle dependencies command and saving the output in a gradle.debricked.lock file.

gradle dependencies > gradle.debricked.lock

Every gradle.debricked.lock file should be placed in the same directory as its corresponding build.gradle or build.gradle.kts file.

hashtag
Maven

To achieve the fastest and most accurate results, create a file containing the resolved dependency tree named .maven.debricked.lock before scanning.

This can be accomplished using the High Performance Scans technology in our OpenText Core SCA CLI. If you execute the resolve command, the CLI automatically identifies all manifest files that lack the recommended maven lock files and generates them as needed.

You can manually generate the recommended file(s) by running the Maven dependency:tree plugin and saving the output to a maven.debricked.lock file.

mvn dependency:tree -DoutputFile=maven.debricked.lock -DoutputType=tgf

Every maven.debricked.lock file should be placed in the same directory as the corresponding pom.xml file.

hashtag
Bazel

OpenText Core SCA supports Java projects that utilize Bazel by scanning the WORKSPACE file format along with any Java file formats in use. To ensure fast and accurate scans, OpenText Core SCA recommends utilizing rules_jvm_external to generate an install.json file, which resolves and pins all indirect dependencies in a lock file.

For more information on setting this up in your project, see Bazel blogarrow-up-right.

hashtag
File fingerprinting

OpenText Core SCA supports scanning for Java dependencies not defined in manifest-files through file fingerprinting. Our database contains the hashes of .jar and .war files as well as their unpacked contents for all packages in the largest maven repository. This is used when comparing with the contents of your application, to ensure as accurate matches as possible.

For more information on file fingerprinting and how to set it up, see file fingerprinting.

hashtag
Supported file formats and features

Package manager
Supported file formats
Root dependencies
Indirect dependencies
Dependency trees
Security scanning
License scanning
Root fix
Pull Request
Reachability Analysis
High Performance Scan

Gradle

build.gradle

Gradle

build.gradle.kts

Maven

pom.xml

Bazel

WORKSPACE

Bazel

install.json

-

fingerprinted files (.jar, .war, pom.xml and more*)

*When building the knowledge base, the files are downloaded, unpacked and fingerprints are created for all file contents, except for certain excluded patterns. The fingerprints are created for the contents of each file. For example, OpenText Core SCA matches .dll files used in C# and .class files found within .jar files from Java, among others.

Last updated

Was this helpful?