Java & Kotlin - Gradle, Maven, Bazel

This section provides a breakdown of the file formats and features supported in Java/Kotlin.

OpenText Core SCA currently supports tracking Java or Kotlin dependencies using:

Gradle (using build.gradle and build.gradle.kts files)
Maven (using pom.xml files)
Bazel (using WORKSPACE and install.json files)
to detect dependencies not specified in manifest files

Gradle

To achieve the fastest and most accurate results, create a file containing the resolved dependency tree named .gradle.debricked.lock before scanning.

This can be accomplished using the technology in . If you execute the resolve command, the CLI automatically identifies all manifest files that lack the recommended Gradle lock files and generates them as needed.

You can create the recommended file(s) manually by running the Gradle dependencies command and saving the output in a gradle.debricked.lock file.

gradle dependencies > gradle.debricked.lock

Every gradle.debricked.lock file should be placed in the same directory as its corresponding build.gradle or build.gradle.kts file.

Maven

To achieve the fastest and most accurate results, create a file containing the resolved dependency tree named .maven.debricked.lock before scanning.

This can be accomplished using the technology in our . If you execute the resolve command, the CLI automatically identifies all manifest files that lack the recommended maven lock files and generates them as needed.

You can manually generate the recommended file(s) by running the Maven dependency:tree plugin and saving the output to a maven.debricked.lock file.

mvn dependency:tree -DoutputFile=maven.debricked.lock -DoutputType=tgf

Every maven.debricked.lock file should be placed in the same directory as the corresponding pom.xml file.

Bazel

OpenText Core SCA supports Java projects that utilize Bazel by scanning the WORKSPACE file format along with any Java file formats in use. To ensure fast and accurate scans, OpenText Core SCA recommends utilizing rules_jvm_external to generate an install.json file, which resolves and pins all indirect dependencies in a lock file.

File fingerprinting

OpenText Core SCA supports scanning for Java dependencies not defined in manifest-files through file fingerprinting. Our database contains the hashes of .jar and .war files as well as their unpacked contents for all packages in the largest maven repository. This is used when comparing with the contents of your application, to ensure as accurate matches as possible.

Supported file formats and features

*When building the knowledge base, the files are downloaded, unpacked and fingerprints are created for all file contents, except for certain excluded patterns. The fingerprints are created for the contents of each file. For example, OpenText Core SCA matches .dll files used in C# and .class files found within .jar files from Java, among others.

Last updated 28 days ago

Was this helpful?

OpenText Core SCA currently supports tracking Java or Kotlin dependencies using:

Gradle (using build.gradle and build.gradle.kts files)
Maven (using pom.xml files)
Bazel (using WORKSPACE and install.json files)
to detect dependencies not specified in manifest files

Gradle

To achieve the fastest and most accurate results, create a file containing the resolved dependency tree named .gradle.debricked.lock before scanning.

This can be accomplished using the technology in . If you execute the resolve command, the CLI automatically identifies all manifest files that lack the recommended Gradle lock files and generates them as needed.

You can create the recommended file(s) manually by running the Gradle dependencies command and saving the output in a gradle.debricked.lock file.

gradle dependencies > gradle.debricked.lock

Every gradle.debricked.lock file should be placed in the same directory as its corresponding build.gradle or build.gradle.kts file.

Maven

To achieve the fastest and most accurate results, create a file containing the resolved dependency tree named .maven.debricked.lock before scanning.

This can be accomplished using the technology in our . If you execute the resolve command, the CLI automatically identifies all manifest files that lack the recommended maven lock files and generates them as needed.

You can manually generate the recommended file(s) by running the Maven dependency:tree plugin and saving the output to a maven.debricked.lock file.

mvn dependency:tree -DoutputFile=maven.debricked.lock -DoutputType=tgf

Every maven.debricked.lock file should be placed in the same directory as the corresponding pom.xml file.

Bazel

OpenText Core SCA supports Java projects that utilize Bazel by scanning the WORKSPACE file format along with any Java file formats in use. To ensure fast and accurate scans, OpenText Core SCA recommends utilizing rules_jvm_external to generate an install.json file, which resolves and pins all indirect dependencies in a lock file.

For more information on setting this up in your project, see .

File fingerprinting

OpenText Core SCA supports scanning for Java dependencies not defined in manifest-files through file fingerprinting. Our database contains the hashes of .jar and .war files as well as their unpacked contents for all packages in the largest maven repository. This is used when comparing with the contents of your application, to ensure as accurate matches as possible.

For more information on file fingerprinting and how to set it up, see .

Supported file formats and features

*When building the knowledge base, the files are downloaded, unpacked and fingerprints are created for all file contents, except for certain excluded patterns. The fingerprints are created for the contents of each file. For example, OpenText Core SCA matches .dll files used in C# and .class files found within .jar files from Java, among others.

For more information on setting this up in your project, see .

For more information on file fingerprinting and how to set it up, see .

File fingerprinting

High Performance Scans

OpenText Core SCA CLI

High Performance Scans

OpenText Core SCA CLI

Bazel blog

file fingerprinting