Comparison of Trusted Checksums and Maven-Lockfile

[LogFlames]

Features

Maven-Lockfile

• Can recreate pom file from lockfile
• Stores lockfile in each submodule individually
• Backwards compatible with older maven versions

Trusted Checksums

• Included in maven. Automatically verified at build time or validate
• If configured to fail on error plugins will require being recorded into the trusted checksums
• Minimal file ad hoc format "hash space artifact"
• Missing BOM information
• Missing ENV information (such as java and maven version)

Both

• Are independent of ordering of dependencies/checksums
• Are not locked down to specific Java version (can be generated with Java 17 and tested with Java 21 without false triggers)

The main thing missing from Trusted Checksums is the ability to download the specific versions specified. If a version range is specified some manual work is required to check the specific version of the jar and specify that one in the pom.xml.

Suggestion: Maven lockfile could (maybe an optional parameter) setup the project to use trusted checksums.

Test on maven-lockfile

When run on the maven-lockfile project the following results are obtained.

Trusted Checksums recorded 1222 checksums, where 779 are checksums for .pom files.
Maven Lockfile recorded 300 checksums.

All checksums recorded in the lockfile are also recorded in the trusted checksums.

These checksums (filtered to only include jars) are in Trusted Checksums but missing in the lockfiles:

Hash	Artifact
0a482e6c4feca419d8227f5929ad8b27a8b7468b620127ef77cf58fd8447d384	io/quarkus/quarkus-vertx-http-dev-ui-spi/3.15.1/quarkus-vertx-http-dev-ui-spi-3.15.1.jar
8cadd43ac5eb6d09de05faecca38b917a040bb9139c7edeb4cc81c740b713281	org/ow2/asm/asm/9.7.1/asm-9.7.1.jar
d6879ef63cce58e20bedeb91d7722e974a25bbb5c605ee2cdb6e675522299752	io/quarkus/quarkus-vertx-deployment/3.15.1/quarkus-vertx-deployment-3.15.1.jar
c13b12c32a18b00e457de9b93cfc3d5593bfa1fb992b2c46a3498be1a77c4889	org/codehaus/plexus/plexus-compiler-manager/2.15.0/plexus-compiler-manager-2.15.0.jar
dee92eda1cd293afbbbb0ee3d752f8c135e193e2232172e036a3f23e38c8c25d	org/apache/maven/resolver/maven-resolver-api/1.9.20/maven-resolver-api-1.9.20.jar
517add5f3848517894b319a93a7ebfc1c21737b2c17c9acccd38fea97d6adc6f	com/fasterxml/jackson/dataformat/jackson-dataformat-xml/2.17.2/jackson-dataformat-xml-2.17.2.jar
33dc67306cc95da14e5444e8b494d967924abf1d01bae1894676164cbd3f6112	org/apache/maven/resolver/maven-resolver-api/1.4.1/maven-resolver-api-1.4.1.jar
46a0c87d504ce9d6063e1ff6e4d20738feb49d8abf85b5071a7d18df4f11bac9	org/iq80/snappy/snappy/0.4/snappy-0.4.jar
6ee731df5c8e5a2976a1ca023b6bb320ea8d3539fbe64c8a1d5cb765127c33b4	org/apache/commons/commons-lang3/3.17.0/commons-lang3-3.17.0.jar
b869aca6c208d2b1fc92e846e1c13612a5ed2fda3bed9a7c1ae2ff5f14f8cf48	org/apache/maven/resolver/maven-resolver-util/1.9.20/maven-resolver-util-1.9.20.jar
f885be71b5c90556f5f1ad1c4f9276b29b96057c497d46666fe4ddbec3cb43c6	org/ow2/asm/asm-util/9.7.1/asm-util-9.7.1.jar
549398002c5f7e688d8f62066b499d8a658ca976fa20bf664df126866866fac9	io/quarkus/quarkus-devtools-codestarts/3.15.1/quarkus-devtools-codestarts-3.15.1.jar
56e5de41b932d0e585359d0558fa3a1f12f0550eb4497db2220357cf1b404607	org/apache/maven/surefire/maven-surefire-common/3.5.1/maven-surefire-common-3.5.1.jar
85b29371884ba31bb76edf22323c2c24e172c3267a67152eba3d1ccc2e041ef2	org/ow2/asm/asm-analysis/9.7.1/asm-analysis-9.7.1.jar
bcb797feddd16d3ebbaddf2e228c727c5ade9fb307127748062968c0f85f406b	io/quarkus/quarkus-devtools-registry-client/3.15.1/quarkus-devtools-registry-client-3.15.1.jar
30f015d1c1a393e19c18cd4f43532089c36d4ca328608ce3dda78b74d3d31515	org/apache/maven/maven-artifact/3.9.9/maven-artifact-3.9.9.jar
9971018358fbd488fcc85df4562598a128048b564a240c13d0716800f9268f1e	org/apache/maven/surefire/surefire-extensions-api/3.5.1/surefire-extensions-api-3.5.1.jar
49c47aee145d30239be37c0aed8c481425b23d29633915dd8dd5a84c11a8c916	org/apache/maven/plugin-tools/maven-plugin-tools-model/3.15.1/maven-plugin-tools-model-3.15.1.jar
bd1913bbaa6f77068f4915934414e40294cc099d1ab73946c698e7da26de5124	org/apache/maven/surefire/common-java5/3.5.1/common-java5-3.5.1.jar
3611fc8916ce564e9fdeea359fc66482a6687a17c43c50f2887a37c81e3e29ee	io/vertx/vertx-web/4.5.10/vertx-web-4.5.10.jar
7dc7abec9b7b8b431abe082d34d0c74a9675d4044dbe3c719a9484f27e1b5206	io/quarkus/quarkus-virtual-threads-deployment/3.15.1/quarkus-virtual-threads-deployment-3.15.1.jar
931a77aa9dad6c91f10fcfafa70adc7608c004576b4924c74ecbffb27568a880	org/apache/maven/shared/maven-common-artifact-filters/3.4.0/maven-common-artifact-filters-3.4.0.jar
2e8cb2d546a01c2259cb17f1e06732db3d14b079d19622bf8400c82cb1ee6b96	org/apache/maven/shared/file-management/3.1.0/file-management-3.1.0.jar
a8e406abe7403bb18fa3584a82a529234c429b728e6222c92e05df9a022aa951	io/quarkus/quarkus-project-core-extension-codestarts/3.15.1/quarkus-project-core-extension-codestarts-3.15.1.jar
5dea05049c94f952f48ce2bfe0111afdf986acc591fcc11d23fe3b8dcb70291e	org/apache/maven/maven-resolver-provider/3.9.9/maven-resolver-provider-3.9.9.jar
e45551727707acc0c56ac62d56964332ea0f138d6cc3656d988b9369150f5247	com/github/package-url/packageurl-java/1.5.0/packageurl-java-1.5.0.jar
efbab714375518607d78e2285b26573095ed61b93de5f257a03f50edff3bec6e	io/quarkus/quarkus-smallrye-context-propagation-spi/3.15.1/quarkus-smallrye-context-propagation-spi-3.15.1.jar
2b491d38db45b0e8eef522e8f7889a3366e546e58b376b07fcb56e34c424e932	org/apache/maven/maven-plugin-api/3.9.9/maven-plugin-api-3.9.9.jar
d75b2ced6059f81ad23e021c554259b906b6c4f2991cb772409827569ead4c1a	com/github/luben/zstd-jni/1.5.5-11/zstd-jni-1.5.5-11.jar
46c126b4a14e93ca9e3b92aa90f0330adcb73964cc45807f51cd5c68afa7f834	org/apache/maven/surefire/surefire-shared-utils/3.5.1/surefire-shared-utils-3.5.1.jar
217e0314bfc1b40787d6be9d9510f71b72b0741a3123c9ac633fc4fd95d7132d	io/quarkus/quarkus-analytics-common/3.15.1/quarkus-analytics-common-3.15.1.jar
55355f6cf2c7de9fc574ebaf0791a130c0199cc124e3f00ab45da05648f15873	org/iq80/snappy/snappy/0.5/snappy-0.5.jar
e599d5318e97aa48f42136a2927e6dfa4e8881dff0e6c8e3109ddbbff51d7b7d	commons-codec/commons-codec/1.11/commons-codec-1.11.jar
83f38459593bc10caeb1fa2653616813b1743b6bed67163c8ae8e5a4d32a5456	com/fasterxml/jackson/dataformat/jackson-dataformat-yaml/2.17.1/jackson-dataformat-yaml-2.17.1.jar
3bb5b0ec02998abe45a51f37d7ce67c3068b4ccd4ab63c965929ec5074d64e91	org/jsoup/jsoup/1.18.1/jsoup-1.18.1.jar
1bf78c2ade46f209bf93ebe72ed2af5b989ca7a1de0a015fc1b92a62f56b6549	org/apache/velocity/velocity-engine-core/2.4/velocity-engine-core-2.4.jar
965ed28912cf1ae4c628112c4009e0c19819bc44ed5db8af54ee5eda21036a3e	org/codehaus/plexus/plexus-io/3.5.0/plexus-io-3.5.0.jar
934171640fbd3d2495c50b79b0d9adb11e2c83e65bad157df8fe34bcac0ff798	org/sonatype/plexus/plexus-build-api/0.0.7/plexus-build-api-0.0.7.jar
d777d8f032261095fc082b5d1d038ff5857597351e828044071d6bd35d07a957	io/quarkus/platform/quarkus-bom-quarkus-platform-properties/3.15.1/quarkus-bom-quarkus-platform-properties-3.15.1.properties
85c4ca30b81be61a1de1d2619c4e03f79bdcc631f1721dc39658afc674d3d54a	io/quarkus/quarkus-smallrye-context-propagation-deployment/3.15.1/quarkus-smallrye-context-propagation-deployment-3.15.1.jar
8f59b0a16fe9c933be749a60ae0705a0cb337bb5abaf38801b40b740ff775727	org/apache/maven/maven-model/3.9.9/maven-model-3.9.9.jar
27bb5d40f37c3bb7205b4a0540247df057715e9f6cbbd97d626ab8b50318bb04	org/apache/commons/commons-compress/1.26.1/commons-compress-1.26.1.jar
522b0b9ed59d3928750dcc4b8b48837d16a693f716c644039340b27de030a0d4	io/quarkus/quarkus-netty-deployment/3.15.1/quarkus-netty-deployment-3.15.1.jar
19584f4518699710a6b4429c88488be2307552cf56b7ca4285f7b95547d6e7c9	io/quarkiverse/githubapi/quarkus-github-api-deployment/1.322.0/quarkus-github-api-deployment-1.322.0.jar
e1c3cb595bd5a4ab75bedf59b47a3c738b935c7ff83c1f245c418a879a7d37d0	io/quarkus/arc/arc-processor/3.15.1/arc-processor-3.15.1.jar
ea6ce5e8cc9345ffeb0409471e0bec156aaf855dd8d017bebd49b122ec2f01e8	io/quarkus/quarkus-arc-deployment/3.15.1/quarkus-arc-deployment-3.15.1.jar
4c07814ff4a39199999ae82bba1e38aa4f25637467fcac6a66ed63a76535799a	org/codehaus/plexus/plexus-archiver/4.10.0/plexus-archiver-4.10.0.jar
7be7713cfd9f0e9fab9acbe2538bf06186ea6ae0cc80b324afdb3861aaf18889	org/twdata/maven/mojo-executor/2.4.0/mojo-executor-2.4.0.jar
1df8b9430b5c8ed143d7815e403e33ef5371b2400aadbe9bda0883762e0846d1	org/apache/commons/commons-collections4/4.4/commons-collections4-4.4.jar
081b40e0eab033cd5ac72d2501bfff4f5fd2a3eef827051111730ea152681c72	org/codehaus/plexus/plexus-classworlds/2.8.0/plexus-classworlds-2.8.0.jar
fba33eaee3b01547bcd14b05ebc37f7dacef1819ad9ee7a5b27899afd3472cf4	org/apache/maven/doxia/doxia-sink-api/2.0.0/doxia-sink-api-2.0.0.jar
d31d744eb69f77dffd3722dca4094758e0f90e79918a7b3b9fdc37ce49b60342	org/codehaus/plexus/plexus-compiler-api/2.15.0/plexus-compiler-api-2.15.0.jar
6ba7fb0db6bfa348c248df3f983ae31318e9c14f35a86a932af5ffd7450aa62a	org/codehaus/plexus/plexus-io/3.4.2/plexus-io-3.4.2.jar
804d51f9bae9e0a84889f3d1b79f5b6586aa91baaa33a8f2175a7b327bd9910e	com/thoughtworks/qdox/qdox/2.1.0/qdox-2.1.0.jar
61988e54486a5dc38f06c70fdae5b108556c63bd433697b9f4305fcdb30fa40e	org/apache/maven/shared/maven-shared-incremental/1.1/maven-shared-incremental-1.1.jar
5cfa057f693ebbd4d0a94bea8833dc8105ba2af6d4b7dca05acecc6235b9609c	org/apache/maven/enforcer/enforcer-rules/3.5.0/enforcer-rules-3.5.0.jar
f957f13604ea1686de805801862f339dbbb6eab9a66f9cc7e4a5c5b27e4fcecc	org/codehaus/plexus/plexus-utils/3.4.2/plexus-utils-3.4.2.jar
1e82e0603f76bc130fc2df941adf7eff5696b6e279be5df5b5c23964453c1b14	org/apache/maven/surefire/surefire-booter/3.5.1/surefire-booter-3.5.1.jar
4d2d63cdcad46feba432110ef64bcdc8f8fad48538fda5cd2253686b45a94304	org/codehaus/plexus/plexus-java/1.2.0/plexus-java-1.2.0.jar
88493689e519f1d2cee10d4e143d1001849c7d62db3746e98ce0c6f6facc4a2a	org/apache/maven/shared/maven-dependency-analyzer/1.14.1/maven-dependency-analyzer-1.14.1.jar
daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636	commons-logging/commons-logging/1.2/commons-logging-1.2.jar
b12663187d9ffc6a1ee76139c0ef497fe9400efbe2ebe01616fe2703656fb4f0	org/apache/maven/shared/maven-filtering/3.3.1/maven-filtering-3.3.1.jar
d0845d78c49cb1efc9fd86d54c8f73eddbccb47bcadb6f3dbd18a4cec7318010	org/apache/maven/plugin-tools/maven-plugin-tools-beanshell/3.15.1/maven-plugin-tools-beanshell-3.15.1.jar
c1a510a87a62bd2d74ac1472dd31c3f9e9b0b8b8568f37d77c0f135415bebd05	org/codehaus/plexus/plexus-xml/3.0.1/plexus-xml-3.0.1.jar
cb812be374f19da55406714c648534c91b234d73fdaa386afda9ad51a025f208	org/apache/maven/plugin-tools/maven-plugin-tools-annotations/3.15.1/maven-plugin-tools-annotations-3.15.1.jar
6fc03e51e73fa884f06e7eae0761e045e56fdeb4e146a4d952e3023cc9e3fb43	net/sf/jtidy/jtidy/r938/jtidy-r938.jar
a4377182ac2e5adfe16be3b3c81981a5ecddab014184de72ae1e522f04a77602	org/apache/maven/maven-model-builder/3.9.9/maven-model-builder-3.9.9.jar
8515e91808a09c8c9af5e359185b5991b5e76b8adcf185b9a3dab4ec8e5ba8ff	org/junit/platform/junit-platform-launcher/1.9.3/junit-platform-launcher-1.9.3.jar
8055bae9fce7178aee52f58e4eb235f7debf4d58e0e6e14c320f757e0b84b597	io/quarkus/quarkus-jackson-deployment/3.15.1/quarkus-jackson-deployment-3.15.1.jar
fdbef3137a28f63bb0cb93487803080ede746a4ec3d421e36c6f0c305c35e5e4	io/airlift/aircompressor/0.27/aircompressor-0.27.jar
d287275e15af1ffd2405c5f954a6b8bdab009b6ba9a2e35bacaec8b796960085	io/smallrye/smallrye-graphql-client-model-builder/2.9.2/smallrye-graphql-client-model-builder-2.9.2.jar
6f92794f2bcb424868c8ddcf8106e6c269944310e77c3f643447d91108255b4d	org/apache/maven/surefire/surefire-extensions-spi/3.5.1/surefire-extensions-spi-3.5.1.jar
f72ede1b39258faf81277dc58de30c71cbae4253732558d2ce10b53d8b5763d5	com/github/luben/zstd-jni/1.5.6-3/zstd-jni-1.5.6-3.jar
9929881f59eb6b840e86d54570c77b59ce721d104e6dfd7a40978991c2d3b41f	org/ow2/asm/asm-tree/9.7.1/asm-tree-9.7.1.jar
38556a754b8c947c674d1678270aa36cb6a98d9443235229c6d09f8154837098	org/apache/maven/plugin-tools/maven-plugin-tools-api/3.15.1/maven-plugin-tools-api-3.15.1.jar
2a336838fbca56c92d20110582002629ee8829ad24fac92768177a74042b2ce8	org/apache/maven/plugin-tools/maven-plugin-tools-ant/3.15.1/maven-plugin-tools-ant-3.15.1.jar
8519157df813c210e85fc1414b74109e3d85f43d7092563ed704c43c48f0d5e6	org/junit/platform/junit-platform-commons/1.9.3/junit-platform-commons-1.9.3.jar
97d1acaac82409be42e622d7a54d3ae9d08517e8aefdea3d2ba9791150c2f02d	jline/jline/2.14.6/jline-2.14.6.jar
ab829182363e747a1530a368436242f4cca7ff309dd29bfca638a1fdc7b6771d	org/freemarker/freemarker/2.3.33/freemarker-2.3.33.jar
6048efc98598dea6e768d26aabd5786fa6a5c37798f83bac3984bd45275b3c40	io/quarkus/quarkus-jsonb-spi/3.15.1/quarkus-jsonb-spi-3.15.1.jar
a17955976070c0573235ee662f2794a78082758b61accffce8d3f8aedcd91047	org/apache-extras/beanshell/bsh/2.0b6/bsh-2.0b6.jar
72fc8f42c390c55941f0c8c086193bd6e164885ded5ae21edecf99634641c0c4	io/quarkus/quarkus-jackson-spi/3.15.1/quarkus-jackson-spi-3.15.1.jar
f700de80ac270d0344fdea7468201d8b9c805e5c648331c3619f2ee067ccfc59	commons-codec/commons-codec/1.17.0/commons-codec-1.17.0.jar
1827975508415cacfb9d26eb2d5ae3eaedd955059041ac09b6a6ff6f420cb25d	org/apache/maven/surefire/surefire-logger-api/3.5.1/surefire-logger-api-3.5.1.jar
58812de60898d976fb81ef3b62da05c6604c18fd4a249f5044282479fc286af2	org/opentest4j/opentest4j/1.2.0/opentest4j-1.2.0.jar
98428d545ea63cd9a0aaf255caf42cb8cb64fe430dbb5e709aed536d4daeed04	org/apache/ivy/ivy/2.5.2/ivy-2.5.2.jar
0c39553d9a03510757227f5a1c6cc6530287b1a321ed6258450664874aa2a16a	org/junit/platform/junit-platform-engine/1.9.3/junit-platform-engine-1.9.3.jar
277b104c7d26f44e0a4217b645a84904eb554d48292a6c26d20066e4989723b1	io/quarkus/quarkus-jsonp-deployment/3.15.1/quarkus-jsonp-deployment-3.15.1.jar
ed903d6a94d37946bb48a7f52e406c42a1e2ffea863484bfe60a7164e5b33926	io/quarkus/quarkus-smallrye-stork-deployment/3.15.1/quarkus-smallrye-stork-deployment-3.15.1.jar
50816a36aaaaa823247fe2e932b1f2d8aa026ca3515d9163c44be89fdb6b872b	org/apache/commons/commons-compress/1.27.0/commons-compress-1.27.0.jar
de015f79d4a63d22c002bad76bb30c039cafa205465eef8770e2c6b85880ded7	com/networknt/json-schema-validator/1.5.1/json-schema-validator-1.5.1.jar
9168a03141d8fc7eda21a2360d83cc0412bcbb1d6204d992bd48c2573cb3c6b8	org/apache/commons/commons-compress/1.26.2/commons-compress-1.26.2.jar
ef8d156431438b2f6fefa96266c0383214b7d66dc4542adec8fa3749cd1f925b	io/smallrye/common/smallrye-common-version/2.6.0/smallrye-common-version-2.6.0.jar
f455405f84e37e6b998970cab24e3963a4fdd802e9830fecac7549378b1048a9	org/codehaus/plexus/plexus-java/1.3.0/plexus-java-1.3.0.jar
13b49cfceaff63b142ea98cb2fa785cc9e02cdb4b219aeec7fc3c3a8c8815654	org/apache/maven/plugin-tools/maven-plugin-tools-java/3.15.1/maven-plugin-tools-java-3.15.1.jar
aff0951639837c4e3a4699a421fa79f410032f603f5c6a5bba435e98531f3984	org/eclipse/aether/aether-util/1.0.0.v20140518/aether-util-1.0.0.v20140518.jar
3c6fac2424db3d4a853b669f4e3d1d9c3c552235e19a319673f887083c2303a1	org/ow2/asm/asm/9.6/asm-9.6.jar
96b9cc44439191d2d0635974e2d44e768736b4fb2abcb65f94cd95e41912fa8b	org/codehaus/plexus/plexus-utils/4.0.1/plexus-utils-4.0.1.jar
73ad5e470780a4c885f229b705fb365fbae50f5e1f1990274128f7f48dc61374	io/vertx/vertx-bridge-common/4.5.10/vertx-bridge-common-4.5.10.jar
094640f3fdce47250cb06968a143f40c4e2f1c22be979c73caac2f49f3c38373	org/apache/maven/maven-settings-builder/3.9.9/maven-settings-builder-3.9.9.jar
6f2de1f09b0d316582a7f64ef6f259af9f19b271602c2801f767eb47df0d7092	io/quarkus/quarkus-devtools-message-writer/3.15.1/quarkus-devtools-message-writer-3.15.1.jar
7fab37fc6044f20ae004376ab8414373636cf51e26ad0b1efa6b3f1cd2bec503	org/apache/maven/maven-core/3.9.9/maven-core-3.9.9.jar
b26ee90507fecda8c6da6d3fdbeb8b2c99979ac8b8aa2459a4813e6bee7ae6e6	org/apache/groovy/groovy/4.0.23/groovy-4.0.23.jar
ec87bfb55f22cbd1b21e2190eeda28b2b312ed2a431ee49fbdcc01812d04a5e4	commons-codec/commons-codec/1.16.1/commons-codec-1.16.1.jar
2b97963430f7bac04ecfb42ea98f30d0914c067693207e4f096595f5ca16eca3	org/apache/maven/enforcer/enforcer-api/3.5.0/enforcer-api-3.5.0.jar
0b20f45e3a0fd8f0d12cdc5316b06776e902b1365db00118876f9175c60f302c	org/jdom/jdom2/2.0.6.1/jdom2-2.0.6.1.jar
68edf1b510e0d759ec501271a5d05e3a6e425462fbb84126c16e8a6f89abdada	org/apache/maven/maven-settings/3.9.9/maven-settings-3.9.9.jar
9474c73a81d9be6206367d357a3449e03e70c69bc672d82be04f15806ef170fa	org/cyclonedx/cyclonedx-core-java/9.0.5/cyclonedx-core-java-9.0.5.jar
c9e76fc2501852d55d258e1210ad5eb306686b2f31cfa55b185991a79b1cb392	org/apache/maven/plugin-tools/maven-plugin-tools-generators/3.15.1/maven-plugin-tools-generators-3.15.1.jar
02fc027d2d2c5ec90cb09db183d6a4810cbfb1ef47b944f4adcecef1aafeb1ef	io/quarkus/qute/qute-core/3.15.1/qute-core-3.15.1.jar
5394a6a7563d1bb372af6e9d5983f65c28995b109a9e50d896541effc669a923	org/apache/maven/surefire/surefire-api/3.5.1/surefire-api-3.5.1.jar
1f895a587df4844d9b7565e8e9a6352afe1d55532458a0dbeb746bc1d02e9216	org/apache/maven/maven-archiver/3.6.2/maven-archiver-3.6.2.jar
2e5e775a9dc58ffa6bbd6aa6f099d62f8b62dcdeb4c3c3bbbe5cf2301bc2dcc1	org/fusesource/jansi/jansi/2.4.1/jansi-2.4.1.jar
ca6732d61815f0339b5f9a71eeb9fdf73740868e96b05ba159e5f675d3132891	io/quarkus/quarkus-mutiny-deployment/3.15.1/quarkus-mutiny-deployment-3.15.1.jar
a6e07786cc2559da983c7ec887ae314a1afc0e613b31e26540e11b3d8675d193	io/quarkiverse/githubaction/quarkus-github-action-deployment/2.4.0/quarkus-github-action-deployment-2.4.0.jar
a00565f6626b1a5cfbe5ccbf050d3c61cda1f610a56cb9395c24926cad4b5b6c	org/apache/maven/surefire/surefire-junit-platform/3.5.1/surefire-junit-platform-3.5.1.jar
3e7e902f492c973cf210ddb8267843a3b65e83f5067467e2f4d9af0051f6b8b9	org/codehaus/plexus/plexus-velocity/2.2.0/plexus-velocity-2.2.0.jar
1f08ab20724f7fff2681c43bcda0054654b827ee30a8dc88b3fde00bdee39333	io/quarkus/quarkus-smallrye-graphql-client-deployment/3.15.1/quarkus-smallrye-graphql-client-deployment-3.15.1.jar
8143280e9372bc5c8abe3291dca580411636c1924f48f51e9cf34333be7a419a	com/gradle/gradle-enterprise-maven-extension/1.17/gradle-enterprise-maven-extension-1.17.jar
211b306cfc44f8f96df3a0a3ddaf75ba8c5289eed77d60d72f889bb855f535e5	org/tukaani/xz/1.9/xz-1.9.jar
ff70c10165714fe9546c418a65d74ecd5d57623ba408cecde9428f0a609b5d1c	com/thoughtworks/qdox/qdox/2.0.3/qdox-2.0.3.jar
89603334988453b9cf4d7ec404d4b54f140de28b678d6a8e8edc448240dd0e90	org/codehaus/plexus/plexus-compiler-javac/2.15.0/plexus-compiler-javac-2.15.0.jar
2f6f8db462f42018c4fbfa3d39944cba4f31ff08eb57adba1790dcf5984ba110	io/quarkus/quarkus-vertx-deployment-spi/3.15.1/quarkus-vertx-deployment-spi-3.15.1.jar
1b9ef2063144f40cf0fae737ccee6ff9844830b73926a3329dd3e24c011747c6	io/quarkus/quarkus-devtools-common/3.15.1/quarkus-devtools-common-3.15.1.jar
961b2f6d87dbacc5d54abf45ab7a6e2495f89b75598962d8c723cea9bc210908	commons-io/commons-io/2.11.0/commons-io-2.11.0.jar
0abd4d05c69908d69ced023de768fe093ada7989cc352ab5cbedd28d8554b5cc	io/quarkus/quarkus-arc-test-supplement/3.15.1/quarkus-arc-test-supplement-3.15.1.jar
137c297e6a52d489b76663c82324d54e40f5d498a8fc015c0203fd91df8623b0	org/apache/maven/maven-repository-metadata/3.9.9/maven-repository-metadata-3.9.9.jar
763acda4a69588c9ea8817a952851ff0c2fc4bffa1d081c2565dc407f29d5794	org/apache/ant/ant/1.10.15/ant-1.10.15.jar
0b89124daefd48fe8c0f43449be3a98ba609b460f018a80c704c74544f62286a	org/codejive/java-properties/0.0.7/java-properties-0.0.7.jar
b071da0e5c7197e7010e0deb63fb6a1a0d32fc1e003ebdbfc311ac5193773a0f	io/fabric8/maven-model-helper/37/maven-model-helper-37.jar
68aa09fe113a4ce63d636283aad573dfcbf80162104c21423bfe8c7907274b70	io/quarkus/quarkus-cyclonedx-generator/3.15.1/quarkus-cyclonedx-generator-3.15.1.jar
3ba57a4c3cf00495a501e4f1369d29dd8e983aadc3d59bf4aa52987a8e7d8791	io/quarkus/quarkus-devtools-base-codestarts/3.15.1/quarkus-devtools-base-codestarts-3.15.1.jar
0424b2ff0c20265a084a32a4907521b28e7b86af25d131987a6b31ef63b9687c	com/ethlo/time/itu/1.10.2/itu-1.10.2.jar
84b98521684ab22f9528470fa6d8ab68a230e1b211623c989ba7016c306eb773	org/eclipse/aether/aether-api/1.0.0.v20140518/aether-api-1.0.0.v20140518.jar
b4727459201b0011beb0742bd807421a1fc8426b116193031ed87825bc2d4f04	org/junit/platform/junit-platform-launcher/1.11.3/junit-platform-launcher-1.11.3.jar
7a875af6682016b41755106dcd459f5165d59795a2775f9725b675b02ed92787	io/quarkus/quarkus-jsonb-deployment/3.15.1/quarkus-jsonb-deployment-3.15.1.jar
3fb4fb6143fdf964024c3cb738551524b9ea84e5c211cd660c559ad0703e5230	org/codehaus/plexus/plexus-interpolation/1.27/plexus-interpolation-1.27.jar
d2622dc9339b16f5b8c9cad2add440e965831d0e16f19ae1de24e1202b0de536	org/codehaus/plexus/plexus-xml/3.0.0/plexus-xml-3.0.0.jar
5c8551990307a032336d98ddaed549a39a689f07d4d4c6b950601bf22b3d6a1b	org/apache/ant/ant-launcher/1.10.15/ant-launcher-1.10.15.jar
a837bd7d73291564dc8e8c826de0fede75896527a35bdcddb77b0545ee656a4c	org/codehaus/plexus/plexus-archiver/4.9.2/plexus-archiver-4.9.2.jar
81cdeef50567735bda9f6b4aabe0cc0a3f6c04f15569192bc6505393d2612c25	com/fasterxml/woodstox/woodstox-core/6.7.0/woodstox-core-6.7.0.jar
cb2cbde3c9c7288f7398a250dcf3c90cf92714cff301f22b298e1091b5def33c	org/apache/maven/reporting/maven-reporting-api/4.0.0/maven-reporting-api-4.0.0.jar
2ca4a967bdd12a9e85d40e012374f86e63d4a1030c199da4832e3d0a1c6770d8	org/apache/maven/maven-builder-support/3.9.9/maven-builder-support-3.9.9.jar

[LogFlames]

Summary/continuation:

• Figure out why/where these 132 extra checksums comes from? Can/should these be included in lockfile.json?
• Think about implementing checksums as a configuration option of maven-lockfile.
• Too much SBOM information (module/dependency) is lost using only Trusted Checksums - it is not a replacement for maven-lockfile.

[LogFlames]

Example of checksums-central.sha256:

000dd616298aebd21a9d5731874df083d7298424b91e037b73cbdd07ebc83e0e  org/jboss/jboss-parent/36/jboss-parent-36.pom
001cde5b3c6ba91070425cfe9f2e695e4aeb8bc290a2d4cd96531127ab244fe5  org/slf4j/slf4j-api/1.7.32/slf4j-api-1.7.32.pom
005b5a3a88736bd2584f69cc59467e67c106e6a4b7a2dbd1ba2251267e96011d  org/apache/commons/commons-lang3/3.10/commons-lang3-3.10.pom
00730f0fd33d55c28d00b417decee720b00cae4d27530819b0713a5c5d9d9f37  org/apache/maven/resolver/maven-resolver-named-locks/1.9.22/maven-resolver-named-locks-1.9.22.pom
00bcf388472ca80a687014181763b66d777177f22cbbf179fd60e1b1ac9bc9b0  org/apache/logging/log4j/log4j-core/2.24.1/log4j-core-2.24.1.jar
0124227bc47efc9a00b9aa4fc3ef7f70823d322213c26489e5369a914339c84a  org/codehaus/plexus/plexus-component-annotations/1.5.4/plexus-component-annotations-1.5.4.pom
01ca7ebc4796fd603dab182c6c14b074250c6b2603b5454785eff003e76e5a19  io/vertx/vertx-codegen/4.5.10/vertx-codegen-4.5.10.jar
0043f72f611664735da8dc9a308bf12ecd2236b05339351c4741edb4d8fab0da  org/junit/platform/junit-platform-engine/1.11.3/junit-platform-engine-1.11.3.jar
025caec7c56a0cb4d86c45bc18ac3e23dba291e22ebceb76302a9a9b9b7183cc  org/apache/maven/wagon/wagon/1.0-beta-6/wagon-1.0-beta-6.pom
025f8aa20b019a8efc90b200129bb5d948c8459ed000f0444e8bca2a15e9e166  io/quarkus/quarkus-development-mode-spi/3.15.1/quarkus-development-mode-spi-3.15.1.pom
026fb505b0f954e24f88b0d91bd21030d43e92ba0a3cf4f9832ec31240c8829d  io/smallrye/common/smallrye-common-io/2.5.0/smallrye-common-io-2.5.0.jar
02baad428c4a0fc2f503795d08644752a15731fb51c3da1add108d5e6ac5d283  org/wildfly/common/wildfly-common/1.7.0.Final/wildfly-common-1.7.0.Final.jar
02bada6f4bc3d1163d44cd626048c51f4a9a453e650c7c51e01601a9fa0e098e  org/twdata/maven/mojo-executor-parent/2.4.0/mojo-executor-parent-2.4.0.pom
02f291e5d1243dc143496e3cbbb40a1ced47aa58f2d633d3e38780cd068d5074  commons-io/commons-io/2.8.0/commons-io-2.8.0.jar
02fc027d2d2c5ec90cb09db183d6a4810cbfb1ef47b944f4adcecef1aafeb1ef  io/quarkus/qute/qute-core/3.15.1/qute-core-3.15.1.jar
0310865a9d620e254a5b380bfc17a94a94bc41b50ee8d298681735bd6a44c4d3  io/quarkus/quarkus-netty/3.15.1/quarkus-netty-3.15.1.pom
0342bdcbd23208534dde58819ddf937aabbe3d61a47231ffb06632fb47dd2657  org/sonatype/aether/aether-util/1.7/aether-util-1.7.pom
034e12a9d1d5f5618a9e0dda23aadda4ed659ec55240876b6e954cc2172be456  org/apache/maven/shared/maven-common-artifact-filters/3.1.0/maven-common-artifact-filters-3.1.0.pom
037b44a6f27020511a5e62125c529707c857a2a10aedb5d8a219717c4b6a6955  org/apache/maven/maven/4.0.0-alpha-5/maven-4.0.0-alpha-5.pom
03d960bd5aef03c653eb000413ada15eb77cdd2b8e4448886edf5692805e35f3  org/objenesis/objenesis/3.2/objenesis-3.2.jar
03e1898e878806cace2028d9b42cda3377d70ceb2b06253c43f6a587a0f67067  org/slf4j/jcl-over-slf4j/1.5.6/jcl-over-slf4j-1.5.6.jar
0424b2ff0c20265a084a32a4907521b28e7b86af25d131987a6b31ef63b9687c  com/ethlo/time/itu/1.10.2/itu-1.10.2.jar
042a1cd1ac976cdcfe5eb63f1d8e0b0b892c9248e15a69c8cfba495d546ea52a  org/jetbrains/kotlin/kotlin-stdlib/1.8.21/kotlin-stdlib-1.8.21.jar
043962b987eec7d11e84869277a1c4872d022c24aa837759fe17f98d7ed7a194  io/quarkus/quarkus-jsonp/3.15.1/quarkus-jsonp-3.15.1.jar
043f21c8e8f1e44fa4434bff9d8daed3c98642b414fad9d6c29ce4f120cb945c  org/apache/maven/plugin-tools/maven-script/3.15.1/maven-script-3.15.1.pom
04534dea350a2187970a5b74444338bcf78ba8e537d44f262acfba16ebb33056  org/apache/maven/maven-parent/42/maven-parent-42.pom
[...]