Java & Kotlin - Gradle, Maven, Bazel
See a breakdown of the file formats and features supported in Java/Kotlin.
Debricked currently supports tracking Java/Kotlin dependencies via:
Gradle, using build.gradle and build.gradle.kts files
Maven, using pom.xml files
Bazel, using WORKSPACE & install.json files
File fingerprinting, to find dependencies not defined in manifest-files
Gradle
For the fastest and most accurate results, a file containing the resolved dependency tree, .gradle.debricked.lock has to be created prior to scanning.
This can be done using the High Performance Scans technology in our Debricked CLI. By running the resolve command, the CLI automatically detects all manifest files without the recommended gradle lock files and generates the files as needed.
It is also possible to generate the recommended file(s) manually, by running the Gradle dependencies command and storing the output in a gradle.debricked.lock file.
Every gradle.debricked.lock file must be put in the same directory as the corresponding build.gradle (recommended) or build.gradle.kts.
Maven
For the fastest and most accurate results, a file containing the resolved dependency tree, .maven.debricked.lock, has to be created prior to scanning.
This can be done using the High Performance Scans technology in our Debricked CLI. By running the resolve command, the CLI automatically detects all manifest files without the recommended maven lock files and generates the files as needed.
It is also possible to generate the recommended file(s) manually, by running the Maven dependency:tree plugin and storing the output in a maven.debricked.lock file.
Every maven.debricked.lock file must be put in the same directory as the corresponding pom.xml.
Bazel
We also support Java projects using Bazel, where we scan the WORKSPACE file format in addition to any Java file formats being used. In order to guarantee fast and accurate scans, we recommend using rules_jvm_external to generate an install.json file where all indirect dependencies are resolved and pinned in a lock file. For more information on how to set this up in your project, please refer to the bazel blog.
File fingerprinting
Debricked supports scanning for Java dependencies not defined in manifest-files through file fingerprinting. Our database contains the hashes of .jar and .war files as well as their unpacked contents for all packages in the largest maven repository. This is used when comparing with the contents of your application, to ensure as accurate matches as possible. For more information on file fingerprinting and how to set it up, see file fingerprinting.
Supported file formats and features:
| Package Manager | Supported File Formats | Root dependencies | Indirect dependencies | Dependency trees | Security Scanning | License Scanning | Root Fix | Pull Request | Vulnerable Functionality | High Performance Scan |
|---|---|---|---|---|---|---|---|---|---|---|
Gradle | build.gradle | |||||||||
Gradle | build.gradle.kts | |||||||||
Maven | pom.xml | |||||||||
Bazel | WORKSPACE | |||||||||
Bazel | install.json | |||||||||
- | fingerprinted files (.jar, .war, pom.xml and more*) |
*When building our knowledge base, we download files, unpack them, and fingerprint all file contents besides a few excluded patterns. This is a list of the files we download from each source, we fingerprint all contents of each file. Some examples are matching on .dll files for C# and others for other languages, such as .class files contained in a .jar file from Java.
Last updated
