Maven-Lockfile: High Integrity Rebuild of Past Java Releases

• URL: http://arxiv.org/abs/2510.00730v2
• Date: Mon, 06 Oct 2025 10:32:59 GMT
• Title: Maven-Lockfile: High Integrity Rebuild of Past Java Releases
• Authors: Larissa Schmid, Elias Lundell, Yogya Gamage, Benoit Baudry, Martin Monperrus,
• Abstract summary: Maven is one of the most important package managers in the Java ecosystem.<n>We present Maven-Lockfile to generate and update lockfiles with support for rebuilding projects from past versions.<n>Our evaluation shows that Maven-Lockfile can reproduce builds from historical commits and is able to detect tampered artifacts.
• Score: 8.004632448033531
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Modern software projects depend on many third-party libraries, complicating reproducible and secure builds. Several package managers address this with the generation of a lockfile that freezes dependency versions and can be used to verify the integrity of dependencies. Yet, Maven, one of the most important package managers in the Java ecosystem, lacks native support for a lockfile. We present Maven-Lockfile to generate and update lockfiles, with support for rebuilding projects from past versions. Our lockfiles capture all direct and transitive dependencies with their checksums, enabling high integrity builds. Our evaluation shows that Maven-Lockfile can reproduce builds from historical commits and is able to detect tampered artifacts. With minimal configuration, Maven-Lockfile equips Java projects with modern build integrity and build reproducibility, and fosters future research on software supply chain security in Java.

Related papers

• RealSec-bench: A Benchmark for Evaluating Secure Code Generation in Real-World Repositories [58.32028251925354]
  Large Language Models (LLMs) have demonstrated remarkable capabilities in code generation, but their proficiency in producing secure code remains a critical, under-explored area.<n>We introduce RealSec-bench, a new benchmark for secure code generation meticulously constructed from real-world, high-risk Java repositories.
  arXiv  Detail & Related papers  (2026-01-30T08:29:01Z)
• On the Freshness of Pinned Dependencies in Maven [6.5131796406898745]
  We show that over 60% of consumers of popular Maven libraries contain stale pins to their dependencies.<n>We prototype an approach called Pin-Freshener that can encourage developers to freshen their pins by leveraging crowdsourced tests of peer projects.<n>Our evaluation on real-world pins to the top 500 popular libraries in Maven shows that Pin-Freshener can provide an additional signal of at least 5 passing crowdsourced test suites.
  arXiv  Detail & Related papers  (2025-10-26T20:02:49Z)
• Unlocking Reproducibility: Automating re-Build Process for Open-Source Software [0.06124773188525717]
  Software ecosystems like Maven Central play a crucial role in modern software supply chains.<n>Approximately 84% of the top 1200 commonly used artifacts are not built using a transparent CI/CD pipeline.<n>We introduce an extension to Maven, an industry-grade open-source supply chain security framework, to automate the rebuilding of Maven artifacts from source.
  arXiv  Detail & Related papers  (2025-09-10T00:23:08Z)
• Many-Turn Jailbreaking [65.04921693379944]
  We propose exploring multi-turn jailbreaking, in which the jailbroken LLMs are continuously tested on more than a single target query.<n>We construct a Multi-Turn Jailbreak Benchmark (MTJ-Bench) for benchmarking this setting on a series of open- and closed-source models.
  arXiv  Detail & Related papers  (2025-08-09T00:02:39Z)
• SwingArena: Competitive Programming Arena for Long-context GitHub Issue Solving [90.32201622392137]
  We present SwingArena, a competitive evaluation framework for Large Language Models (LLMs)<n>Unlike traditional static benchmarks, SwingArena models the collaborative process of software by pairing LLMs as iterations, who generate patches, and reviewers, who create test cases and verify the patches through continuous integration (CI) pipelines.
  arXiv  Detail & Related papers  (2025-05-29T18:28:02Z)
• The Design Space of Lockfiles Across Package Managers [10.405775369526006]
  We perform the first comprehensive study of lockfiles across 7 popular package managers, npm, pnpm, Cargo, Poetry, Pipenv, Gradle, and Go.<n>We capture first-hand insights about the benefits that developers perceive in lockfiles, as well as the challenges they face to manage these files.
  arXiv  Detail & Related papers  (2025-05-07T22:18:40Z)
• Local Software Buildability across Java Versions (Registered Report) [0.0]
  We will try to automatically build every project in containers with Java versions 6 to 23 installed. Success or failure will be determined by exit codes, and standard output and error streams will be saved.
  arXiv  Detail & Related papers  (2024-08-21T11:51:00Z)
• Maven-Hijack: Software Supply Chain Attack Exploiting Packaging Order [9.51794475707891]
  We present Maven-Hijack, a novel attack that exploits the order in which Maven packages dependencies.<n>By injecting a malicious class with the same fully qualified name as a legitimate one into a dependency that is packaged earlier, an attacker can silently override core application behavior.<n>We evaluate three mitigation strategies, such as sealed JARs, Java Modules, and the Maven Enforcer plugin.
  arXiv  Detail & Related papers  (2024-07-26T14:17:47Z)
• Analyzing the Accessibility of GitHub Repositories for PyPI and NPM Libraries [91.97201077607862]
  Industrial applications heavily rely on open-source software (OSS) libraries, which provide various benefits.<n>To monitor the activities of such communities, a comprehensive list of repositories for the libraries of an ecosystem must be accessible.<n>In this study, we analyze the accessibility of GitHub repositories for PyPI and NPM libraries.
  arXiv  Detail & Related papers  (2024-04-26T13:27:04Z)
• On the Security Blind Spots of Software Composition Analysis [46.1389163921338]
  We present a novel approach to detect vulnerable clones in the Maven repository. We retrieve over 53k potential vulnerable clones from Maven Central. We detect 727 confirmed vulnerable clones and synthesize a testable proof-of-vulnerability project for each of those.
  arXiv  Detail & Related papers  (2023-06-08T20:14:46Z)
• Repro: An Open-Source Library for Improving the Reproducibility and Usability of Publicly Available Research Code [74.28810048824519]
  Repro is an open-source library which aims at improving the usability of research code. It provides a lightweight Python API for running software released by researchers within Docker containers.
  arXiv  Detail & Related papers  (2022-04-29T01:54:54Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.