Maven plugin to generate and verify sha256 of project dependencies.
Generates the file with the sha256 of project dependencies, that will be used to verify them during building phases.
Verifies the sha256 of project dependencies using the file generated with the goal depcheck:generate.
Declare in your setting.xml the credentials to download this plugin from GitHub Maven Registry:
<settings>
<servers>
<server>
<id>github</id>
<username>YOUR GITHUB USER NAME</username>
<password>YOUR GITHUB PERSONAL ACCESS TOKEN WITH AT LEAST read:packages SCOPE</password>
</server>
</servers>
</settings>
Declare in your pom.xml the GitHub Maven Registry to download this plugin:
<pluginRepository>
<id>github</id>
<url>https://maven.pkg.github.com/pagopa/depcheck</url>
</pluginRepository>
Declare in your pom.xml the depcheck plugin:
<plugin>
<groupId>it.pagopa.maven</groupId>
<artifactId>depcheck</artifactId>
<version>1.0.2</version>
<executions>
<execution>
<phase>validate</phase>
<goals>
<goal>verify</goal>
</goals>
</execution>
</executions>
<configuration>
<fileName>dep-sha256.json</fileName>
<includePlugins>false</includePlugins>
<includeParent>false</includeParent>
<excludes>
<exampleGroupID_1>exampleArtifactID_1,exampleArtifactID_2</exampleGroupID_1>
<exampleGroupID_2>exampleArtifactID_1</exampleGroupID_2>
</excludes>
</configuration>
</plugin>
In this way during the validation phase of the project, the sha256 of the dependencies will be verified.
To generate the file with sha256:
mvn depcheck:generate
Name | Type | Description |
---|---|---|
fileName | String | File with sha256 of project dependencies. It must be relative to project home (where is the pom.xml). |
addFileName | String | File with sha256 of project dependencies added manually. |
includePlugins | boolean | If true, the plugins will be taken into account. |
includeParent | boolean | If true, the dependencies of the parent project will be taken into account. |
excludes | Map<String, List> | List of dependencies to exclude. |