maven-lockfile

pkg:maven/io.github.chains-project/maven-lockfile@5.16.1-beta-3

Used in: 0 components

Overview
Overview

Versions
Versions

Dependents
Dependents

Dependencies
Dependencies

Overview

Description

This plugin is a state-of-the-art solution that can be used to validate the integrity of a maven repository. It does this by generating a lock file that contains the checksums of all the artifacts in the repository. The lock file can then be used to validate the integrity of the repository. This guards the supply chain against malicious actors that might tamper with the artifacts in the repository.

<dependency>
    <groupId>io.github.chains-project</groupId>
    <artifactId>maven-lockfile</artifactId>
    <version>5.16.1-beta-3</version>
</dependency>

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <parent>
    <groupId>io.github.chains-project</groupId>
    <artifactId>maven-lockfile-parent</artifactId>
    <version>5.16.1-beta-3</version>
    <relativePath>../</relativePath>
  </parent>
  <groupId>io.github.chains-project</groupId>
  <artifactId>maven-lockfile</artifactId>
  <version>5.16.1-beta-3</version>
  <packaging>maven-plugin</packaging>
  <name>maven-lockfile-plugin</name>
  <description>This plugin is a state-of-the-art solution that can be used to validate the integrity
    of a maven repository.
    It does this by generating a lock file that contains the checksums of all the artifacts in the
    repository.
    The lock file can then be used to validate the integrity of the repository.
    This guards the supply chain against malicious actors that might tamper with the artifacts in
    the repository.</description>
  <url>https://github.com/chains-project/maven-lockfile</url>
  <prerequisites>
    <maven>3.2.5</maven>
  </prerequisites>
  <scm>
    <connection>scm:git:https://github.com/chains-project/maven-lockfile</connection>
    <developerConnection>scm:git:https://github.com/chains-project/maven-lockfile.git</developerConnection>
    <tag>v${project.version}</tag>
    <url>https://github.com/chains-project/maven-lockfile/tree/${project.scm.tag}/maven_plugin</url>
  </scm>
  <properties>
    <mavenVersion>3.9.11</mavenVersion>
    <maven.compiler.release>11</maven.compiler.release>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
  </properties>
  <dependencyManagement>
    <dependencies>
      <!-- Force upgrade of vulnerable transitive plexus-utils (GHSA-6fmv-xxpf-w3cw / CVE-2025-67030).
           maven-core pulls in 3.6.0 via maven-model; override to safe version 4.0.3. -->
      <dependency>
        <groupId>org.codehaus.plexus</groupId>
        <artifactId>plexus-utils</artifactId>
        <version>4.0.3</version>
      </dependency>
    </dependencies>
  </dependencyManagement>
  <dependencies>
    <dependency>
      <groupId>org.apache.maven</groupId>
      <artifactId>maven-plugin-api</artifactId>
      <version>${mavenVersion}</version>
      <scope>provided</scope>
    </dependency>
    <!-- plexus-utils 4.x extracted XML APIs into plexus-xml; needed for XmlPullParserException -->
    <dependency>
      <groupId>org.codehaus.plexus</groupId>
      <artifactId>plexus-xml</artifactId>
      <version>4.1.1</version>
      <scope>provided</scope>
    </dependency>
    <dependency>
      <groupId>org.apache.maven.plugin-tools</groupId>
      <artifactId>maven-plugin-annotations</artifactId>
      <version>3.15.2</version>
      <scope>provided</scope>
    </dependency>
    <dependency>
      <groupId>org.junit.jupiter</groupId>
      <artifactId>junit-jupiter-api</artifactId>
      <version>6.0.2</version>
      <scope>test</scope>
    </dependency>
    <dependency>
      <groupId>org.apache.maven</groupId>
      <artifactId>maven-core</artifactId>
      <version>${mavenVersion}</version>
      <scope>provided</scope>
    </dependency>
    <dependency>
      <groupId>com.google.code.gson</groupId>
      <artifactId>gson</artifactId>
      <version>2.13.2</version>
    </dependency>
    <dependency>
      <groupId>org.apache.maven.resolver</groupId>
      <artifactId>maven-resolver-api</artifactId>
      <version>2.0.14</version>
    </dependency>
    <dependency>
      <groupId>org.apache.maven.plugin-testing</groupId>
      <artifactId>maven-plugin-testing-harness</artifactId>
      <version>4.0.0-beta-4</version>
      <scope>test</scope>
    </dependency>
    <dependency>
      <groupId>org.apache.maven</groupId>
      <artifactId>maven-compat</artifactId>
      <version>3.9.6</version>
      <scope>test</scope>
    </dependency>
    <dependency>
      <groupId>org.junit.jupiter</groupId>
      <artifactId>junit-jupiter-engine</artifactId>
      <version>6.0.2</version>
      <scope>test</scope>
    </dependency>
    <!-- Explicit dependency to fix GHSA-rqfh-9r24-8c9r (XXE vulnerability in versions < 3.27.7) -->
    <dependency>
      <groupId>org.assertj</groupId>
      <artifactId>assertj-core</artifactId>
      <version>3.27.7</version>
      <scope>test</scope>
    </dependency>
    <dependency>
      <groupId>org.apache.logging.log4j</groupId>
      <artifactId>log4j-core</artifactId>
      <version>2.25.4</version>
    </dependency>
    <dependency>
      <groupId>com.soebes.itf.jupiter.extension</groupId>
      <artifactId>itf-jupiter-extension</artifactId>
      <version>0.13.1</version>
      <scope>test</scope>
    </dependency>
    <dependency>
      <groupId>com.soebes.itf.jupiter.extension</groupId>
      <artifactId>itf-assertj</artifactId>
      <version>0.13.1</version>
      <scope>test</scope>
    </dependency>
    <dependency>
      <groupId>org.instancio</groupId>
      <artifactId>instancio-junit</artifactId>
      <version>5.5.1</version>
      <scope>test</scope>
    </dependency>
    <dependency>
      <groupId>com.google.guava</groupId>
      <artifactId>guava</artifactId>
      <version>33.5.0-jre</version>
    </dependency>
    <dependency>
      <groupId>org.apache.maven.shared</groupId>
      <artifactId>maven-dependency-tree</artifactId>
      <version>3.3.0</version>
    </dependency>
    <dependency>
      <groupId>org.apache.maven.shared</groupId>
      <artifactId>maven-artifact-transfer</artifactId>
      <version>0.13.1</version>
    </dependency>
    <dependency>
      <groupId>org.apache.maven</groupId>
      <artifactId>maven-model</artifactId>
      <version>${mavenVersion}</version>
      <scope>provided</scope>
    </dependency>
    <dependency>
      <groupId>org.apache.maven</groupId>
      <artifactId>maven-artifact</artifactId>
      <version>${mavenVersion}</version>
      <scope>provided</scope>
    </dependency>
    <dependency>
      <groupId>commons-io</groupId>
      <artifactId>commons-io</artifactId>
      <version>2.21.0</version>
      <scope>test</scope>
    </dependency>
  </dependencies>
  <build>
    <plugins>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-plugin-plugin</artifactId>
        <version>3.15.2</version>
        <configuration>
          <!-- see https://issues.apache.org/jira/browse/MNG-5346 -->
          <goalPrefix>configurator</goalPrefix>
        </configuration>
        <executions>
          <execution>
            <id>mojo-descriptor</id>
            <goals>
              <goal>descriptor</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
      <plugin>
        <groupId>org.codehaus.gmavenplus</groupId>
        <artifactId>gmavenplus-plugin</artifactId>
        <version>4.2.1</version>
        <inherited>false</inherited>
        <dependencies>
          <dependency>
            <groupId>org.apache.groovy</groupId>
            <artifactId>groovy</artifactId>
            <version>5.0.3</version>
            <scope>runtime</scope>
          </dependency>
        </dependencies>
        <executions>
          <execution>
            <configuration>
              <scripts>
                <script/>
              </scripts>
            </configuration>
          </execution>
        </executions>
      </plugin>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-jar-plugin</artifactId>
        <version>3.5.0</version>
        <executions>
          <execution>
            <id>test-jar</id>
            <goals>
              <goal>test-jar</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
      <plugin>
        <groupId>com.soebes.itf.jupiter.extension</groupId>
        <artifactId>itf-maven-plugin</artifactId>
        <version>0.13.1</version>
        <executions>
          <execution>
            <id>installing</id>
            <goals>
              <goal>install</goal>
              <goal>resources-its</goal>
            </goals>
            <phase>pre-integration-test</phase>
          </execution>
        </executions>
      </plugin>
      <plugin>
        <artifactId>maven-failsafe-plugin</artifactId>
        <version>3.5.4</version>
        <configuration>
          <!--
               ! currently needed to run integration tests.
              -->
          <systemPropertyVariables>
            <maven.version>${maven.version}</maven.version>
            <maven.home>${maven.home}</maven.home>
          </systemPropertyVariables>
          <properties>
            <configurationParameters>junit.jupiter.execution.parallel.enabled=true
              junit.jupiter.execution.parallel.mode.default=concurrent
              junit.jupiter.execution.parallel.mode.classes.default=same_thread
              junit.jupiter.execution.parallel.config.strategy=fixed
              junit.jupiter.execution.parallel.config.fixed.parallelism=6</configurationParameters>
          </properties>
          <rerunFailingTestsCount>2</rerunFailingTestsCount>
        </configuration>
        <executions>
          <execution>
            <goals>
              <goal>integration-test</goal>
              <goal>verify</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>
  <profiles>
    <profile>
      <id>publication</id>
      <build>
        <plugins>
          <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-javadoc-plugin</artifactId>
            <version>3.12.0</version>
            <executions>
              <execution>
                <id>attach-javadocs</id>
                <goals>
                  <goal>jar</goal>
                </goals>
                <configuration>
                  <attach>true</attach>
                </configuration>
              </execution>
            </executions>
          </plugin>
          <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-source-plugin</artifactId>
            <version>3.4.0</version>
            <executions>
              <execution>
                <id>attach-sources</id>
                <goals>
                  <goal>jar</goal>
                </goals>
                <configuration>
                  <attach>true</attach>
                </configuration>
              </execution>
            </executions>
          </plugin>
          <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-deploy-plugin</artifactId>
            <version>3.1.4</version>
          </plugin>
        </plugins>
      </build>
    </profile>
  </profiles>
</project>