Java & Kotlin - Gradle, Maven, Bazel

See a breakdown of the file formats and features supported in Java/Kotlin.

Debricked currently supports tracking Java/Kotlin dependencies via:

  • Gradle, using build.gradle and build.gradle.kts files

  • Maven, using pom.xml files

  • Bazel, using WORKSPACE & install.json files

  • File fingerprinting, to find dependencies not defined in manifest-files

Gradle

For the fastest and most accurate results, a file containing the resolved dependency tree, .gradle.debricked.lock has to be created prior to scanning.

This can be done using the High Performance Scans technology in our Debricked CLI. By running the resolve command, the CLI automatically detects all manifest files without the recommended gradle lock files and generates the files as needed.

It is also possible to generate the recommended file(s) manually, by running the Gradle dependencies command and storing the output in a gradle.debricked.lock file.

gradle dependencies > gradle.debricked.lock

Every gradle.debricked.lock file must be put in the same directory as the corresponding build.gradle (recommended) or build.gradle.kts.

Maven

For the fastest and most accurate results, a file containing the resolved dependency tree, .maven.debricked.lock, has to be created prior to scanning.

This can be done using the High Performance Scans technology in our Debricked CLI. By running the resolve command, the CLI automatically detects all manifest files without the recommended maven lock files and generates the files as needed.

It is also possible to generate the recommended file(s) manually, by running the Maven dependency:tree plugin and storing the output in a maven.debricked.lock file.

mvn dependency:tree -DoutputFile=maven.debricked.lock -DoutputType=tgf

Every maven.debricked.lock file must be put in the same directory as the corresponding pom.xml.

Bazel

We also support Java projects using Bazel, where we scan the WORKSPACE file format in addition to any Java file formats being used. In order to guarantee fast and accurate scans, we recommend using rules_jvm_external to generate an install.json file where all indirect dependencies are resolved and pinned in a lock file. For more information on how to set this up in your project, please refer to the bazel blog.

File fingerprinting

Debricked supports scanning for Java dependencies not defined in manifest-files through file fingerprinting. Our database contains the hashes of .jar and .war files as well as their unpacked contents for all packages in the largest maven repository. This is used when comparing with the contents of your application, to ensure as accurate matches as possible. For more information on file fingerprinting and how to set it up, see file fingerprinting.

Supported file formats and features:

Package ManagerSupported File FormatsRoot dependencies Indirect dependenciesDependency treesSecurity ScanningLicense ScanningRoot FixPull RequestVulnerable FunctionalityHigh Performance Scan

Gradle

build.gradle

Gradle

build.gradle.kts

Maven

pom.xml

Bazel

WORKSPACE

Bazel

install.json

-

fingerprinted files (.jar, .war, pom.xml and more*)

*When building our knowledge base, we download files, unpack them, and fingerprint all file contents besides a few excluded patterns. This is a list of the files we download from each source, we fingerprint all contents of each file. Some examples are matching on .dll files for C# and others for other languages, such as .class files contained in a .jar file from Java.

Last updated