org.apache.maven.shared.dependency.graph.internal.SpyingDependencyNodeUtils Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of maven-lockfile Show documentation
Show all versions of maven-lockfile Show documentation
This plugin is a state-of-the-art solution that can be used to validate the integrity
of a maven repository.
It does this by generating a lock file that contains the checksums of all the artifacts in the
repository.
The lock file can then be used to validate the integrity of the repository.
This guards the supply chain against malicious actors that might tamper with the artifacts in
the repository.
package org.apache.maven.shared.dependency.graph.internal;
import java.lang.reflect.Field;
import java.util.Optional;
import org.apache.log4j.Logger;
import org.apache.maven.shared.dependency.graph.DependencyNode;
public class SpyingDependencyNodeUtils {
private static final Logger LOGGER = Logger.getLogger(SpyingDependencyNodeUtils.class);
/**
* Resolves the conflict data from a dependency node. This is a hack, because the conflict data is not exposed by the API.
* The winner version is used to determine the version of a dependency.
* @param node The node to get the conflict data from.
* @return the included version as a string or null if the version could not be determined.
*/
public static Optional getWinnerVersion(DependencyNode node) {
if (node instanceof VerboseDependencyNode) {
VerboseDependencyNode newNode = (VerboseDependencyNode) node;
try {
Field dataField = VerboseDependencyNode.class.getDeclaredField("data");
dataField.setAccessible(true);
ConflictData data = (ConflictData) dataField.get(newNode);
data.getWinnerVersion();
return Optional.ofNullable(data.getWinnerVersion());
} catch (NoSuchFieldException | SecurityException | IllegalArgumentException | IllegalAccessException e) {
LOGGER.warn("Could not get winner dependency version.", e);
}
}
return Optional.empty();
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy