Skip to content
You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
lock

GitHub Action

Maven-Lockfile

v1.1.9

Maven-Lockfile

lock

Maven-Lockfile

This action generates a lockfile for a Maven project

Installation

Copy and paste the following snippet into your .yml file.

 
              
- name: Maven-Lockfile

              
  uses: chains-project/[email protected]
Learn more about this action in chains-project/maven-lockfile

Choose a version

Maven Lockfile

My new creation-min

This plugin is a state-of-the-art solution that can be used to validate the integrity of a maven repository. It does this by generating a lock file that contains the checksums of all the artifacts in the repository. The lock file can then be used to validate the integrity of the repository. This guards the supply chain against malicious actors that might tamper with the artifacts in the repository.

Installation:

This plugin is available on maven central. To use it, add the following to your pom.xml: See https://search.maven.org/artifact/io.github.chains-project/maven-lockfile for the latest version.

Usage

First, generate a lock file by running the following command in the repository that you want to validate:

mvn io.github.chains-project:maven-lockfile:1.1.9:generate

Then run the following command to validate the repository:

mvn io.github.chains-project:maven-lockfile:1.1.9:validate

Format

An example lockfile is shown below: For a full example, see the lockfile.json file in this repository.

{
"artifactID": "my-app",
"groupID": "com.mycompany.app",
"version": "1",
"lockFileVersion": 1,
"dependencies": [
            {
            "groupId": "org.junit.platform",
            "artifactId": "junit-platform-engine",
            "version": "1.9.2",
            "checksumAlgorithm": "SHA-256",
            "checksum": "25f23dc535a091e9dc80c008faf29dcb92be902e6911f77a736fbaf019908367",
            "id": "org.junit.platform:junit-platform-engine:1.9.2",
            "parent": "org.junit.jupiter:junit-jupiter-engine:5.9.2",
            "children": [
                {
                "groupId": "org.apiguardian",
                "artifactId": "apiguardian-api",
                "version": "1.1.2",
                "checksumAlgorithm": "SHA-256",
                "checksum": "b509448ac506d607319f182537f0b35d71007582ec741832a1f111e5b5b70b38",
                "id": "org.apiguardian:apiguardian-api:1.1.2",
                "parent": "org.junit.platform:junit-platform-engine:1.9.2",
                "children": []
                },
                {
                "groupId": "org.junit.platform",
                "artifactId": "junit-platform-commons",
                "version": "1.9.2",
                "checksumAlgorithm": "SHA-256",
                "checksum": "624a3d745ef1d28e955a6a67af8edba0fdfc5c9bad680a73f67a70bb950a683d",
                "id": "org.junit.platform:junit-platform-commons:1.9.2",
                "parent": "org.junit.platform:junit-platform-engine:1.9.2",
                "children": [
                    {
                    "groupId": "org.apiguardian",
                    "artifactId": "apiguardian-api",
                    "version": "1.1.2",
                    "checksumAlgorithm": "SHA-256",
                    "checksum": "b509448ac506d607319f182537f0b35d71007582ec741832a1f111e5b5b70b38",
                    "id": "org.apiguardian:apiguardian-api:1.1.2",
                    "parent": "org.junit.platform:junit-platform-commons:1.9.2",
                    "children": []
                    }
                ]
                },
                {
                "groupId": "org.opentest4j",
                "artifactId": "opentest4j",
                "version": "1.2.0",
                "checksumAlgorithm": "SHA-256",
                "checksum": "58812de60898d976fb81ef3b62da05c6604c18fd4a249f5044282479fc286af2",
                "id": "org.opentest4j:opentest4j:1.2.0",
                "parent": "org.junit.platform:junit-platform-engine:1.9.2",
                "children": []
                }
            ]
            }
]
}

This is close to the format of the lock file in the npm package-lock.json file. We made some java-specific changes to the format, e.g., we added the groupId field. For each artifact, we store the hashes of all transitive dependencies in the children field. This allows us to validate the integrity of the transitive dependencies as well.

GithubAction

We have created a GithubAction that can be used to validate the integrity of your maven repository. A sample workflow is shown below: Usage:

name: Lockfile
on:
pull_request:


jobs:
check-lockfile:
        runs-on: ubuntu-latest
        steps:
        - name: run maven-lockfile
        uses: chains-project/[email protected]
        with:
            github-token: ${{ secrets.GITHUB_TOKEN }}

If a pom.xml file is changed this action will add a commit with the updated lockfile to the pull request. Otherwise, it will validate the lockfile and fail if the lockfile is correct.

⚠️Warning: The action result of your lockfile could be platform dependent. Some artifacts are platform dependent and the checksums will differ between platforms.

Related work

Here we list some related work that we found while researching this topic.