{"id":26633523,"url":"https://github.com/chains-project/maven-lockfile","last_synced_at":"2026-05-17T07:08:00.223Z","repository":{"id":65399790,"uuid":"575350863","full_name":"chains-project/maven-lockfile","owner":"chains-project","description":"Lockfiles for Maven. Pin your dependencies. Build with integrity.","archived":false,"fork":false,"pushed_at":"2026-02-04T12:45:42.000Z","size":38567,"stargazers_count":54,"open_issues_count":21,"forks_count":14,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-02-05T00:29:23.241Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chains-project.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"Contributing.md","funding":null,"license":"License","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"security.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-12-07T10:11:49.000Z","updated_at":"2026-02-04T12:42:45.000Z","dependencies_parsed_at":"2023-02-15T04:15:49.445Z","dependency_job_id":"d58761fc-405e-431a-ae94-8818419e4c63","html_url":"https://github.com/chains-project/maven-lockfile","commit_stats":null,"previous_names":[],"tags_count":97,"template":false,"template_full_name":null,"purl":"pkg:github/chains-project/maven-lockfile","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2Fmaven-lockfile","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2Fmaven-lockfile/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2Fmaven-lockfile/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2Fmaven-lockfile/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chains-project","download_url":"https://codeload.github.com/chains-project/maven-lockfile/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2Fmaven-lockfile/sbom","scorecard":{"id":273075,"data":{"date":"2025-08-14T22:40:22Z","repo":{"name":"github.com/chains-project/maven-lockfile","commit":"cd9c7b9da140565f6c978639f4d2c84cce80a8e4"},"scorecard":{"version":"v5.2.1","commit":"ab2f6e92482462fe66246d9e32f642855a691dc1"},"score":5.2,"checks":[{"name":"Code-Review","score":0,"reason":"Found 1/29 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#code-review"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#maintained"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: security.md:1","Info: Found linked content: security.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: security.md:1","Info: Found text in security policy: security.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#security-policy"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: RenovateBot: renovate.json:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dependency-update-tool"}},{"name":"Dangerous-Workflow","score":0,"reason":"dangerous workflow patterns detected","details":["Warn: script injection with untrusted input ' github.head_ref ': .github/workflows/ensure-release-notrunning.yml:45"],"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/Lockfile.yml:12","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/LockfilePR.yml:10","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:36","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:35","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/doc.yml:11","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/ghasum.yml:12","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/jreleaser.yml:22","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/regenerate-lockfile.yml:10","Info: topLevel 'contents' permission set to 'read': .github/workflows/Lockfile.yml:8","Info: topLevel 'contents' permission set to 'read': .github/workflows/LockfilePR.yml:6","Info: topLevel 'contents' permission set to 'read': .github/workflows/code-qualitiy.yml:8","Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:28","Info: topLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:11","Info: topLevel 'contents' permission set to 'read': .github/workflows/doc.yml:6","Warn: no topLevel permission defined: .github/workflows/ensure-release-notrunning.yml:1","Info: topLevel permissions set to 'read-all': .github/workflows/ghasum.yml:5","Warn: no topLevel permission defined: .github/workflows/jreleaser.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/regenerate-lockfile.yml:6","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:18","Info: topLevel 'contents' permission set to 'read': .github/workflows/smoke-tests.yml:8"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":6,"reason":"dependency not pinned by hash detected -- score normalized to 6","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code-qualitiy.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/chains-project/maven-lockfile/code-qualitiy.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code-qualitiy.yml:92: update your workflow using https://app.stepsecurity.io/secureworkflow/chains-project/maven-lockfile/code-qualitiy.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:69: update your workflow using https://app.stepsecurity.io/secureworkflow/chains-project/maven-lockfile/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/chains-project/maven-lockfile/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:90: update your workflow using https://app.stepsecurity.io/secureworkflow/chains-project/maven-lockfile/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependency-review.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/chains-project/maven-lockfile/dependency-review.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/doc.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/chains-project/maven-lockfile/doc.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ghasum.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/chains-project/maven-lockfile/ghasum.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/jreleaser.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/chains-project/maven-lockfile/jreleaser.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/jreleaser.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/chains-project/maven-lockfile/jreleaser.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/jreleaser.yml:117: update your workflow using https://app.stepsecurity.io/secureworkflow/chains-project/maven-lockfile/jreleaser.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/jreleaser.yml:194: update your workflow using https://app.stepsecurity.io/secureworkflow/chains-project/maven-lockfile/jreleaser.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/smoke-tests.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/chains-project/maven-lockfile/smoke-tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/smoke-tests.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/chains-project/maven-lockfile/smoke-tests.yml/main?enable=pin","Warn: goCommand not pinned by hash: .github/workflows/jreleaser.yml:61","Warn: downloadThenRun not pinned by hash: .github/workflows/smoke-tests.yml:57","Info:  15 out of  26 GitHub-owned GitHubAction dependencies pinned","Info:  14 out of  17 third-party GitHubAction dependencies pinned","Info:   0 out of   1 goCommand dependencies pinned","Info:   0 out of   1 downloadThenRun dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":2,"reason":"badge detected: InProgress","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#cii-best-practices"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (29) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#sast"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":8,"reason":"5 out of the last 5 releases have a total of 5 signed artifacts.","details":["Info: signed release artifact: checksums_sha256.txt.asc: https://github.com/chains-project/maven-lockfile/releases/tag/v5.6.1","Info: signed release artifact: checksums_sha256.txt.asc: https://github.com/chains-project/maven-lockfile/releases/tag/v5.6.0","Info: signed release artifact: checksums_sha256.txt.asc: https://github.com/chains-project/maven-lockfile/releases/tag/v5.5.3","Info: signed release artifact: checksums_sha256.txt.asc: https://github.com/chains-project/maven-lockfile/releases/tag/v5.5.2","Info: signed release artifact: checksums_sha256.txt.asc: https://github.com/chains-project/maven-lockfile/releases/tag/v5.5.1","Warn: release artifact v5.6.1 does not have provenance: https://api.github.com/repos/chains-project/maven-lockfile/releases/236674875","Warn: release artifact v5.6.0 does not have provenance: https://api.github.com/repos/chains-project/maven-lockfile/releases/226184909","Warn: release artifact v5.5.3 does not have provenance: https://api.github.com/repos/chains-project/maven-lockfile/releases/223523471","Warn: release artifact v5.5.2 does not have provenance: https://api.github.com/repos/chains-project/maven-lockfile/releases/216980593","Warn: release artifact v5.5.1 does not have provenance: https://api.github.com/repos/chains-project/maven-lockfile/releases/214737127"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#signed-releases"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/jreleaser.yml:17"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#packaging"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: License:0","Info: FSF or OSI recognized license: MIT License: License:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#license"}},{"name":"Contributors","score":10,"reason":"project has 9 contributing companies or organizations","details":["Info: found contributions from: CGI-NRM, KAMP-Research, KTH, STAMP-project, SpoonLabs, acme corporation, castor-software, chains-project, wasp-sweden"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#contributors"}},{"name":"CI-Tests","score":10,"reason":"28 out of 28 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#ci-tests"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'release/5.6.1'","Warn: branch protection not enabled for branch 'release/5.6.0'","Warn: branch protection not enabled for branch 'release/5.5.3'","Warn: branch protection not enabled for branch 'release/5.5.2'","Warn: branch protection not enabled for branch 'release/5.5.1'","Warn: branch protection not enabled for branch 'release/5.5.0'","Warn: branch protection not enabled for branch 'release/5.4.2'","Warn: branch protection not enabled for branch 'release/5.4.1'","Warn: branch protection not enabled for branch 'release/5.4.0'","Warn: branch protection not enabled for branch 'release/5.3.5'","Warn: branch protection not enabled for branch 'release/5.3.4'","Warn: branch protection not enabled for branch 'release/5.3.3'","Warn: branch protection not enabled for branch 'release/5.3.2'","Warn: branch protection not enabled for branch 'release/5.3.1'","Warn: branch protection not enabled for branch 'release/5.3.0'","Warn: branch protection not enabled for branch 'release/5.2.3'","Warn: branch protection not enabled for branch 'release/5.2.2'","Warn: branch protection not enabled for branch 'release/5.2.1'","Warn: branch protection not enabled for branch 'release/5.2.0'","Warn: branch protection not enabled for branch 'release/5.1.0'","Warn: branch protection not enabled for branch 'release/5.0.0'","Warn: branch protection not enabled for branch 'release/4.2.2'","Warn: branch protection not enabled for branch 'release/4.2.1'","Warn: branch protection not enabled for branch 'release/4.2.0'","Warn: branch protection not enabled for branch 'release/4.1.0'","Warn: branch protection not enabled for branch 'release/4.0.0'","Warn: branch protection not enabled for branch 'release/3.4.2'","Warn: branch protection not enabled for branch 'release/3.4.1'","Warn: branch protection not enabled for branch 'release/3.4.0'","Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'","Warn: could not determine whether codeowners review is allowed","Info: 'up-to-date branches' is required to merge on branch 'main'","Info: status check found to merge onto on branch 'main'","Warn: PRs are not required to make changes on branch 'main'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":0,"reason":"84 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-j288-q9x7-2f5v","Warn: Project is vulnerable to: GHSA-h46c-h94j-95f3","Warn: Project is vulnerable to: GHSA-78wr-2p64-hpwj","Warn: Project is vulnerable to: GHSA-4265-ccf5-phj5","Warn: Project is vulnerable to: GHSA-4g9r-vxhx-9pgx","Warn: Project is vulnerable to: GHSA-cgwf-w82q-5jrr","Warn: Project is vulnerable to: GHSA-vmq6-5m68-f53m","Warn: Project is vulnerable to: GHSA-6v67-2wr5-gvf4","Warn: Project is vulnerable to: GHSA-pr98-23f8-jwxv","Warn: Project is vulnerable to: GHSA-27hp-xhwr-wr2m","Warn: Project is vulnerable to: GHSA-5j33-cvvr-w245","Warn: Project is vulnerable to: GHSA-7w75-32cg-r6g2","Warn: Project is vulnerable to: GHSA-83qj-6fr2-vhqg","Warn: Project is vulnerable to: GHSA-fccv-jmmp-qg76","Warn: Project is vulnerable to: GHSA-g8pj-r55q-5c2v","Warn: Project is vulnerable to: GHSA-h2fw-rfh5-95r3","Warn: Project is vulnerable to: GHSA-h3gc-qfqq-6h8f","Warn: Project is vulnerable to: GHSA-hfrx-6qgj-fp6c","Warn: Project is vulnerable to: GHSA-q3mw-pvr8-9ggc","Warn: Project is vulnerable to: GHSA-qppj-fm5r-hxr3","Warn: Project is vulnerable to: GHSA-r6j3-px5g-cq3x","Warn: Project is vulnerable to: GHSA-wc4r-xq3c-5cf3","Warn: Project is vulnerable to: GHSA-wm9w-rjj3-j356","Warn: Project is vulnerable to: GHSA-v682-8vv8-vpwr","Warn: Project is vulnerable to: GHSA-rc42-6c7j-7h5r","Warn: Project is vulnerable to: GHSA-xf96-w227-r7c4","Warn: Project is vulnerable to: GHSA-4gc7-5j7h-4qph","Warn: Project is vulnerable to: GHSA-4wp7-92pw-q264","Warn: Project is vulnerable to: GHSA-564r-hj7v-mcr5","Warn: Project is vulnerable to: GHSA-9cmq-m9j5-mvww","Warn: Project is vulnerable to: GHSA-wxqc-pxw9-g2p8","Warn: Project is vulnerable to: GHSA-2rmj-mq67-h97g","Warn: Project is vulnerable to: GHSA-2wrp-6fg6-hmc5","Warn: Project is vulnerable to: GHSA-4wrc-f8pq-fpqp","Warn: Project is vulnerable to: GHSA-ccgv-vj62-xf9h","Warn: Project is vulnerable to: GHSA-hgjh-9rj2-g67j","Warn: Project is vulnerable to: GHSA-cx7f-g6mp-7hqm","Warn: Project is vulnerable to: GHSA-g5vr-rgqm-vf78","Warn: Project is vulnerable to: GHSA-w3c8-7r8f-9jp8","Warn: Project is vulnerable to: GHSA-3mc7-4q67-w48m","Warn: Project is vulnerable to: GHSA-98wm-3w3q-mw94","Warn: Project is vulnerable to: GHSA-9w3m-gqgf-c4p9","Warn: Project is vulnerable to: GHSA-c4r9-r8fh-9vj2","Warn: Project is vulnerable to: GHSA-hhhw-99gj-p3c3","Warn: Project is vulnerable to: GHSA-mjmj-j48q-9wg2","Warn: Project is vulnerable to: GHSA-w37g-rhq8-7m4j","Warn: Project is vulnerable to: GHSA-5mg8-w23w-74h3","Warn: Project is vulnerable to: GHSA-7g45-4rm6-3mm3","Warn: Project is vulnerable to: GHSA-mvr2-9pj6-7w5j","Warn: Project is vulnerable to: GHSA-735f-pc8j-v9w8","Warn: Project is vulnerable to: GHSA-5mcr-gq6c-3hq2","Warn: Project is vulnerable to: GHSA-9vjp-v76f-g363","Warn: Project is vulnerable to: GHSA-cqqj-4p63-rrmm","Warn: Project is vulnerable to: GHSA-f256-j965-7f32","Warn: Project is vulnerable to: GHSA-grg4-wf29-r9vv","Warn: Project is vulnerable to: GHSA-p2v9-g2qv-p635","Warn: Project is vulnerable to: GHSA-wm47-8v5p-wjpj","Warn: Project is vulnerable to: GHSA-wx5j-54mm-rqqq","Warn: Project is vulnerable to: GHSA-xfv3-rrfm-f2rv","Warn: Project is vulnerable to: GHSA-2qrg-x229-3v8q","Warn: Project is vulnerable to: GHSA-65fg-84f6-3jq3","Warn: Project is vulnerable to: GHSA-f7vh-qwp3-x37m","Warn: Project is vulnerable to: GHSA-fp5r-v3w9-4333","Warn: Project is vulnerable to: GHSA-w9p3-5cr8-m3jj","Warn: Project is vulnerable to: GHSA-7rjr-3q55-vv33","Warn: Project is vulnerable to: GHSA-8489-44mv-ggj8","Warn: Project is vulnerable to: GHSA-fxph-q3j8-mv87","Warn: Project is vulnerable to: GHSA-jfh8-c2jp-5v3q","Warn: Project is vulnerable to: GHSA-p6xc-xr62-6r2g","Warn: Project is vulnerable to: GHSA-vwqq-5vrc-xw9h","Warn: Project is vulnerable to: GHSA-2hw2-62cp-p9p7","Warn: Project is vulnerable to: GHSA-7286-pgfv-vxvh","Warn: Project is vulnerable to: GHSA-7cwj-j333-x7f7","Warn: Project is vulnerable to: GHSA-ccqf-c5hq-77mp","Warn: Project is vulnerable to: GHSA-rc7h-x6cq-988q","Warn: Project is vulnerable to: GHSA-36p3-wjmg-h94x","Warn: Project is vulnerable to: GHSA-hh26-6xwr-ggv7","Warn: Project is vulnerable to: GHSA-g5mm-vmx4-3rg7","Warn: Project is vulnerable to: GHSA-4487-x383-qpph","Warn: Project is vulnerable to: GHSA-8crv-49fr-2h6j","Warn: Project is vulnerable to: GHSA-g8hw-794c-4j9g","Warn: Project is vulnerable to: GHSA-pgf9-h69p-pcgf","Warn: Project is vulnerable to: GHSA-rcpf-vj53-7h2m","Warn: Project is vulnerable to: GHSA-558x-2xjg-6232"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-17T13:50:47.400Z","repository_id":65399790,"created_at":"2025-08-17T13:50:47.400Z","updated_at":"2025-08-17T13:50:47.400Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29333037,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-11T06:13:03.264Z","status":"ssl_error","status_checked_at":"2026-02-11T06:12:55.843Z","response_time":97,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-03-24T15:15:21.248Z","updated_at":"2026-05-17T07:08:00.216Z","avatar_url":"https://github.com/chains-project.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n# Maven Lockfile\n\n[![SemVersion](https://img.shields.io/badge/semver-2.0.0-blue)](https://img.shields.io/badge/semver-2.0.0-blue)\n[![Maven Central](https://img.shields.io/maven-central/v/io.github.chains-project/maven-lockfile.svg)](https://search.maven.org/#search%7Cga%7C1%7Cg%3A%22io.github.chains-project%22%20AND%20a%3A%22maven-lockfile%22)\n[![Lockfile](https://github.com/chains-project/maven-lockfile/actions/workflows/Lockfile.yml/badge.svg)](https://github.com/chains-project/maven-lockfile/actions/workflows/Lockfile.yml)\n[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/7447/badge)](https://bestpractices.coreinfrastructure.org/projects/7447)\n[![Reproducible Builds](https://img.shields.io/endpoint?url=https%3A%2F%2Fraw.githubusercontent.com%2Fjvm-repo-rebuild%2Freproducible-central%2Fmaster%2Fcontent%2Fio%2Fgithub%2Fchains-project%2Fmaven-lockfile%2Fbadge.json)](https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/io/github/chains-project/maven-lockfile/README.md)\n\n![Mavenlockfile Banner](https://github.com/user-attachments/assets/87b2e254-1c16-4995-8f4a-f80da93bfbc7)\n\nThis plugin is a state-of-the-art solution for validating the integrity of a maven build and guarding the build against malicious actors that might tamper with the artifacts. Features:\n* generating a lock file that contains the checksums of all the artifacts and dependencies.\n* validate the integrity of a build environment prior to building.\n* rebuild old versions with the pinned versions from the lockfile \n\nReference: [Maven-Lockfile: High Integrity Rebuild of Past Java Releases](https://arxiv.org/abs/2510.00730), Technical report 2510.00730, arXiv, 2025.\n\n\u003cdetails\u003e\n\u003csummary\u003e\n  \u003cb\u003eVideo Demo\u003c/b\u003e\n\u003c/summary\u003e\n\nVideo Demo available in full quality on [YouTube](https://youtu.be/eGgR3toBgxU) or compressed below:\n\nhttps://github.com/user-attachments/assets/4fac8229-d80b-4832-93c1-8cc8bf83e72b\n\u003c/details\u003e\n\n## Installation:\n\nThis plugin is available on maven central. See https://search.maven.org/artifact/io.github.chains-project/maven-lockfile for the latest version.\n\n## Usage\n\n### Generate a lockfile\n\nTo generate a lock file, run the following command:\n\n```\nmvn io.github.chains-project:maven-lockfile:generate\n```\nThis generates a lockfile.json file in each module of the repository, in readable JSON.\nThis file contains the checksums of all the artifacts in the repository.\nThe complete dependency tree, with transitive dependencies, is stored in the lockfile (akin a sbom).\nFor multi-module projects, there is one lockfile per module.\n\n### Checking the local dependencies against Maven lockfile.\n\nRun the following command to validate the repository:\n\n```\nmvn io.github.chains-project:maven-lockfile:validate\n```\nIf this runs successfully, the repository is valid. All dependencies defined are still the same as when the lock file was generated.\nIf the command fails, this means a dependency has changed.\n\n###  Rebuild old versions with the pinned versions from the lockfile.\n\nFirst create `pom.lockfile.xml`\n```\nmvn io.github.chains-project:maven-lockfile:freeze\n```\nThis creates a new pom file with the default name `pom.lockfile.xml`. A custom name can be passed with the flag `pomLockfileOutput`.\nIn the new pom file, every version of direct dependencies in the original pom will be replaced with the versions from the lockfile. Also, every transitive dependency is added to the pom inside the `dependencyManagement` section with the version and scope from the lockfile.\n\nThen, invoke maven with the -f flag\n\n```\nmvn -f pom.lockfile.xml\n```\n\n\n## Command line Flags\n\n- `reduced` (`-Dreduced=false`) will reduce the lockfile only containing the dependencies after dependency resolution conflicts are resolved. This format is smaller, and easier to review and read. Only use this if you do not need the full dependency tree.\n- `includeMavenPlugins` (`-DincludeMavenPlugins=true`) will include the maven plugins in the lockfile. This is useful if you want to validate the Maven plugins as well.\n- `allowValidationFailure` (`-DallowValidationFailure=true`, default=false) allow validation failures, printing a warning instead of an error. This is useful if you want to only validate the Maven lockfile, but do not need to fail the build in case the lockfile is not valid. Use with caution, you loose all guarantees.\n- `allowPomValidationFailure` (`-DallowPomValidationFailure=true`, default=false) allow validation failure of the pom specifically, dependency validation still occurs (assuming `allowValidationFailure` is `false`). In case of checksum mismatch of pom prints a warning instead of default exception.\n- `allowEnvironmentalValidationFailure` (`-DallowEnvironmentalValidationFailure=true`, default=false) allow validation failure of the environment. In case of environment mismatch prints a warning instead of default exception.\n- `includeEnvironment` (`-DincludeEnvironment=true`) will include the environment metadata in the lockfile. This is useful if you want to have warnings when the environment changes.\n- `checksumAlgorithm` (`-DchecksumAlgorithm=SHA-256`) will set the checksum algorithm used to generate the lockfile. If not explicitly provided it will use SHA-256.\n- `checksumMode` will set the checksum mode used to generate the lockfile. See [Checksum Modes](/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/checksum/ChecksumModes.java) for more information.\n- `skip` (`-Dskip=true`) will skip the execution of the plugin. This is useful if you would like to disable the plugin for a specific module.\n- `lockfileName` (`-DlockfileName=my-lockfile.json` default=\"lockfile.json\") will set the name of the lockfile file to be generated/read.\n- `getConfigFromFile` will read the configuration of maven lockfile from the existing lockfile.\n\nFor `:freeze` target:\n- `pomLockfileOutput` (`-DpomLockfileOutput=pom.xml`, default=pom.lockfile.xml) sets the name of the generated flattened pom file. Default is to create a new file with the name `pom.lockfile.xml`, but you can also set it to `pom.xml` to overwrite the original pom file.\n- `exactVersionStrings` (`-DexactVersionStrings=false`, default=true) provide version string as exact parameter `[1.0.0]`, instead of soft requirement `1.0.0`.\n\n### Flags example\n\nThe flags are passed by the maven [`-D` (`--define`)](https://books.sonatype.com/mvnref-book/reference/running-sect-options.html) property. For example, to set the `lockfileName` to `my-lockfile.json` and include maven plugins in the lockfile, you would run the following command:\n```bash\nmvn io.github.chains-project:maven-lockfile:generate -DincludeMavenPlugins=true -DlockfileName=my-lockfile.json\n```\n\n## Format\n\nAn example lockfile is shown below. Note that large parts of it has been minimzed to `{...}` for readability.\nFor a full example, see the [lockfile.json](/maven_plugin/lockfile.json) file in this repository.\n```json\n{\n  \"artifactId\": \"single-dependency\",\n  \"groupId\": \"com.mycompany.app\",\n  \"version\": \"1\",\n  \"pom\": {\n    \"groupId\": \"com.mycompany.app\",\n    \"artifactId\": \"single-dependency\",\n    \"version\": \"1\",\n    \"relativePath\": \"pom.xml\",\n    \"checksumAlgorithm\": \"SHA-256\",\n    \"checksum\": \"2152cc00c16d72fbf9430e6a95a56e9edf0180a500155490bf33a7349df75a1b\"\n  },\n  \"lockFileVersion\": 1,\n  \"dependencies\": [\n    {\n      \"groupId\": \"fr.inria.gforge.spoon\",\n      \"artifactId\": \"spoon-core\",\n      \"version\": \"10.3.0\",\n      \"checksumAlgorithm\": \"SHA-256\",\n      \"checksum\": \"37a43de039cf9a6701777106e3c5921e7131e5417fa707709abf791d3d8d9174\",\n      \"scope\": \"compile\",\n      \"resolved\": \"https://repo.maven.apache.org/maven2/fr/inria/gforge/spoon/spoon-core/10.3.0/spoon-core-10.3.0.jar\",\n      \"repositoryId\": \"central\",\n      \"selectedVersion\": \"10.3.0\",\n      \"included\": true,\n      \"id\": \"fr.inria.gforge.spoon:spoon-core:10.3.0\",\n      \"children\": [\n        {\n          \"groupId\": \"com.fasterxml.jackson.core\",\n          \"artifactId\": \"jackson-databind\",\n          \"version\": \"2.14.2\",\n          \"checksumAlgorithm\": \"SHA-256\",\n          \"checksum\": \"501d3abce4d18dcc381058ec593c5b94477906bba6efbac14dae40a642f77424\",\n          \"scope\": \"compile\",\n          \"resolved\": \"https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-databind/2.14.2/jackson-databind-2.14.2.jar\",\n          \"repositoryId\": \"central\",\n          \"selectedVersion\": \"2.14.2\",\n          \"included\": true,\n          \"id\": \"com.fasterxml.jackson.core:jackson-databind:2.14.2\",\n          \"parent\": \"fr.inria.gforge.spoon:spoon-core:10.3.0\",\n          \"children\": [\n            {\n              \"groupId\": \"com.fasterxml.jackson.core\",\n              \"artifactId\": \"jackson-annotations\",\n              \"version\": \"2.14.2\",\n              \"checksumAlgorithm\": \"SHA-256\",\n              \"checksum\": \"2c6869d505cf60dc066734b7d50339f975bd3adc635e26a78abb71acb4473c0d\",\n              \"scope\": \"compile\",\n              \"resolved\": \"https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-annotations/2.14.2/jackson-annotations-2.14.2.jar\",\n              \"repositoryId\": \"central\",\n              \"selectedVersion\": \"2.14.2\",\n              \"included\": true,\n              \"id\": \"com.fasterxml.jackson.core:jackson-annotations:2.14.2\",\n              \"parent\": \"com.fasterxml.jackson.core:jackson-databind:2.14.2\",\n              \"children\": []\n            },\n            {\n              \"groupId\": \"com.fasterxml.jackson.core\",\n              \"artifactId\": \"jackson-core\",\n              \"version\": \"2.14.2\",\n              \"checksumAlgorithm\": \"SHA-256\",\n              \"checksum\": \"b5d37a77c88277b97e3593c8740925216c06df8e4172bbde058528df04ad3e7a\",\n              \"scope\": \"compile\",\n              \"resolved\": \"https://repo.maven.apache.org/maven2/com/fasterxml/jackson/core/jackson-core/2.14.2/jackson-core-2.14.2.jar\",\n              \"repositoryId\": \"central\",\n              \"selectedVersion\": \"2.14.2\",\n              \"included\": true,\n              \"id\": \"com.fasterxml.jackson.core:jackson-core:2.14.2\",\n              \"parent\": \"com.fasterxml.jackson.core:jackson-databind:2.14.2\",\n              \"children\": []\n            }\n          ]\n        },\n        {\n          \"groupId\": \"com.martiansoftware\",\n          \"artifactId\": \"jsap\",\n          \"version\": \"2.1\",\n          \"checksumAlgorithm\": \"SHA-256\",\n          \"checksum\": \"331746fa62cfbc3368260c5a2e660936ad11be612308c120a044e120361d474e\",\n          \"scope\": \"compile\",\n          \"resolved\": \"https://repo.maven.apache.org/maven2/com/martiansoftware/jsap/2.1/jsap-2.1.jar\",\n          \"repositoryId\": \"central\",\n          \"selectedVersion\": \"2.1\",\n          \"included\": true,\n          \"id\": \"com.martiansoftware:jsap:2.1\",\n          \"parent\": \"fr.inria.gforge.spoon:spoon-core:10.3.0\",\n          \"children\": []\n        },\n        {...}\n      ]\n    }\n  ],\n  \"mavenPlugins\": [\n    {\n      \"groupId\": \"org.apache.maven.plugins\",\n      \"artifactId\": \"maven-clean-plugin\",\n      \"version\": \"3.2.0\",\n      \"checksumAlgorithm\": \"SHA-256\",\n      \"checksum\": \"b657bef2e1eb11e029a70cd688bde6adad29e4e99dacb18516bf651ecca32435\",\n      \"resolved\": \"https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-clean-plugin/3.2.0/maven-clean-plugin-3.2.0.jar\",\n      \"repositoryId\": \"central\",\n      \"dependencies\": [\n        {\n          \"groupId\": \"org.apache.maven\",\n          \"artifactId\": \"maven-core\",\n          \"version\": \"3.2.5\",\n          \"checksumAlgorithm\": \"SHA-256\",\n          \"checksum\": \"4f1a0af8997e1daf778b91c5ae9e973f92df699439d909fdec7fc6055c09de12\",\n          \"scope\": \"provided\",\n          \"resolved\": \"https://repo.maven.apache.org/maven2/org/apache/maven/maven-core/3.2.5/maven-core-3.2.5.jar\",\n          \"repositoryId\": \"central\",\n          \"selectedVersion\": \"3.2.5\",\n          \"included\": true,\n          \"id\": \"org.apache.maven:maven-core:3.2.5\",\n          \"children\": [\n            {\n              \"groupId\": \"org.apache.maven\",\n              \"artifactId\": \"maven-aether-provider\",\n              \"version\": \"3.2.5\",\n              \"checksumAlgorithm\": \"SHA-256\",\n              \"checksum\": \"703944b922d5351aad53b842f7dd38439b7213425f13c6c7f034b8b699b7d578\",\n              \"scope\": \"provided\",\n              \"resolved\": \"https://repo.maven.apache.org/maven2/org/apache/maven/maven-aether-provider/3.2.5/maven-aether-provider-3.2.5.jar\",\n              \"repositoryId\": \"central\",\n              \"selectedVersion\": \"3.2.5\",\n              \"included\": true,\n              \"id\": \"org.apache.maven:maven-aether-provider:3.2.5\",\n              \"parent\": \"org.apache.maven:maven-core:3.2.5\",\n              \"children\": [\n                {...}\n              ]\n            },\n            {...}\n          ]\n        },\n        {...}\n      ]\n    },\n    {...}\n  ],\n  \"metaData\": {\n    \"environment\": {\n      \"osName\": \"Linux\",\n      \"mavenVersion\": \"3.9.12\",\n      \"javaVersion\": \"21.0.8\"\n    },\n    \"config\": {\n      \"includeMavenPlugins\": true,\n      \"allowValidationFailure\": false,\n      \"allowPomValidationFailure\": false,\n      \"allowEnvironmentalValidationFailure\": false,\n      \"includeEnvironment\": true,\n      \"reduced\": false,\n      \"mavenLockfileVersion\": \"5.14.1-beta-1\",\n      \"checksumMode\": \"remote\",\n      \"checksumAlgorithm\": \"SHA-256\"\n    }\n  }\n}\n```\nThis is close to the format of the lock file in the npm package-lock.json file.\nWe made some java-specific changes to the format, e.g., we added the `groupId` field.\n\nIn case the artifact url cannot be resolved or the checksum cannot be calculated or downloaded (depending on `checksumMode`) an empty string will be recorded in the respective `resolved` or `checksum` field.\n\nFor each artifact, we store the hashes of all transitive dependencies in the `children` field.\nThis allows us to validate the integrity of the transitive dependencies as well.\n\n\n## GithubAction\n\nWe have created a GithubAction that can be used to validate the integrity of your `maven` repository.\nA sample workflow is shown below:\nUsage:\n```yml\nname: Lockfile\non:\n  pull_request:\n\npermissions:\n  contents: read\njobs:\n  check-lockfile:\n        permissions:\n          contents: write\n        runs-on: ubuntu-latest\n        steps:\n        - name: run maven-lockfile\n          uses: chains-project/maven-lockfile@2d2ed1462246005ae3aafaf2d0bc619f521eadf6 # 5.14.0\n          with:\n            github-token: ${{ secrets.JRELEASER_GITHUB_TOKEN }}\n            include-maven-plugins: true\n```\nIf a pom.xml or lockfile.json file is changed, this action will add a commit with the updated lockfile to the pull request.\nOtherwise, it will validate the lockfile and fail if the lockfile is incorrect.\nA lockfile is incorrect if any dependency has changed since the lockfile was generated. This includes versions and checksums.\n\n⚠️**Warning**: The action result of your lockfile could be platform-dependent. Some artifacts are platform-dependent and the checksums will differ between platforms.\n\n⚠️**Warning**: This action will only retrigger CI if you use a personal access token. If you use the default token, the action will not retrigger CI. See https://github.com/EndBug/add-and-commit#the-commit-from-the-action-is-not-triggering-ci for more information.\n\n⚠️**Warning**: Commiting the changed lockfile does not work for pull requests from forks. See https://github.com/EndBug/add-and-commit#working-with-prs. You can add a personal access token to your repository to resolve this issue.\nIt still works for pull requests from the same repository. Renovate also works with this action because these PRs are created from the same repository.\n\n### Arguments\n\nExtended github actions example with all available options:\n\n```yml\n- uses: chains-project/maven-lockfile@2d2ed1462246005ae3aafaf2d0bc619f521eadf6 # 5.14.0\n  with:\n    # Required. The GitHub token used to commit the updated lockfile to the repository.\n    - github-token: ${{ secrets.JRELEASER_GITHUB_TOKEN }}\n\n    # Optional. Whether to commit an updated lockfile to the repository. The action can be used \n    #  to update lockfiles automatically in e.g. pull requests (se warning about pull-requests \n    #  from forks). If this is true and the pom.xml or workflow-file has updated it will create \n    #  and commit the new lockfile - the action **will not** fail if the lockfile is outdated \n    #  or invalid and only push the correct version. If this is false or the pom.xml and \n    #  workflow-file remain unchanged, the action be used to verify the lockfile is correct - \n    #  the action **will** fail in case of an outdated or invalid lockfile.\n    # Defaults to true.\n    - commit-lockfile: true\n\n    # Optional. The commit message for the lockfile if 'commit-lockfile' is true.\n    # Defaults to 'chore: update lockfile'\n    - commit-message: 'chore: update lockfile'\n\n    # Optional. Wether to include Maven plugins in the lockfile.\n    # Defaults to false.\n    - include-maven-plugins: false\n\n    # Optional. The name of the lockfile to generate/validate.\n    # Defaults to 'lockfile.json'.\n    - lockfile-name: 'lockfile.json'\n\n    # Optional. The name of the workflow file, to automatically trigger lockfile generation with \n    #  the workflow is updated.\n    # Defaults to 'Lockfile.yml'\n    - workflow-filename: 'Lockfile.yml'\n```\n\n### Using Action in Release with `-SNAPSHOT`-versions (synchronizing lockfile with release)\n\nIf you are updating your POM.xml during your release (e.g. by using `mvn version:set`) to remove `-SNAPSHOT` suffixes or increase the version during the release process the lockfile will need to be regenerated as well or the commit tagged with the release will contain a lockfile with the wrong version. \nIf you are setting the `-SNAPSHOT` version in the release action/script as well it is a good idea to update the lockfile to avoid a separate `chore: lockfile` commit. \n\nAs an example, the steps for the CI in maven-lockfile is:\n* set the version from `X.Y.Z-SNAPSHOT` to `X.Y.Z` in `pom.xml`\n* run maven-lockfile using `mvn io.github.chains-project:maven-lockfile:5.4.1:generate`\n* build and release\n* create `Releasing version X.Y.Z` commit and tag it with `vX.Y.Z`\n* set the version to `X.Y.(Z+1)-SNAPSHOT` in `pom.xml`\n* run maven-lockfile using `mvn io.github.chains-project:maven-lockfile:5.4.1:generate`\n* create `Setting SNAPSHOT version X.Y.(Z+1)-SNAPSHOT` commit\n\n## Related work\n\nHere we list some related work that we found while researching this topic.\n\n- Maven: https://github.com/vandmo/dependency-lock-maven-plugin\n- Gradle: For Gradle, there exists a built-in solution: https://docs.gradle.org/current/userguide/dependency_locking.html. This solution only works for Gradle builds and is deeply connected to the Gradle build system. The Gradle ecosystem is fast changing and so is its dependency resolution. Our lockfile is independent of the build system and can be used to validate the integrity of a maven repository.\n- NPM: https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json\n- Ruby: Bundler has built-in checksum verification since 2.6, see [doc](https://mensfeld.pl/2025/01/the-silent-guardian-why-bundler-checksums-are-a-game-changer-for-your-applications/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchains-project%2Fmaven-lockfile","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchains-project%2Fmaven-lockfile","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchains-project%2Fmaven-lockfile/lists"}