Is your feature request related to a problem? Please describe.
This is a new type of Java lockfile (think: requirements.txt produced by something like pip-compile).
Describe the solution you'd like
It would be nice if DependencyCheck supported it. Since all dependencies are fully transitively resolved,
I believe that all that needs to be done is creating a virtual dependency corresponding to each dependency.
Describe alternatives you've considered
I thought about:
-
producing a bundle jar, and scanning that. Seems heavyweight and relies on the bundling process not to lose any versions.
-
auto-generating another manifest (pom.xml?). If DependencyCheck supports scanning a pom.xml in isolation, great. But if not, we recurse. Either way, seems simpler to support this format.
Additional context
For more info, see: https://github.com/bazelbuild/rules_jvm_external/#pinning-artifacts-and-integration-with-bazels-downloader
Note: This is not a niche homegrown thing, but a standard used in increasingly many projects. GitHub search of a sentinel used in the pinned file finds 175 repos at the time of writing: https://github.com/search?q=THERE_IS_NO_DATA_ONLY_ZUUL&type=code
Is your feature request related to a problem? Please describe.
This is a new type of Java lockfile (think:
requirements.txtproduced by something likepip-compile).Describe the solution you'd like
It would be nice if DependencyCheck supported it. Since all dependencies are fully transitively resolved,
I believe that all that needs to be done is creating a virtual dependency corresponding to each dependency.
Describe alternatives you've considered
I thought about:
producing a bundle jar, and scanning that. Seems heavyweight and relies on the bundling process not to lose any versions.
auto-generating another manifest (
pom.xml?). If DependencyCheck supports scanning a pom.xml in isolation, great. But if not, we recurse. Either way, seems simpler to support this format.Additional context
For more info, see: https://github.com/bazelbuild/rules_jvm_external/#pinning-artifacts-and-integration-with-bazels-downloader
Note: This is not a niche homegrown thing, but a standard used in increasingly many projects. GitHub search of a sentinel used in the pinned file finds 175 repos at the time of writing: https://github.com/search?q=THERE_IS_NO_DATA_ONLY_ZUUL&type=code