Maven-Lockfile: High Integrity Rebuild of Past Java Releases
Larissa Schmid, Elias Lundell, Yogya Gamage, Benoit Baudry, Martin Monperrus
TL;DR
The paper addresses the lack of native lockfile support in Maven, which hampers reproducible and secure Java builds. It introduces Maven-Lockfile, a tool that generates and updates JSON lockfiles, validates build environments, rebuilds historical releases, and provides CI integration to maintain lockfile integrity. The authors demonstrate that lockfiles enable reconstructing past builds and detecting tampering, with experiments showing successful rebuilds for most historical releases and tamper-detection capabilities. This work offers a practical pathway to long-term build integrity in Java and lays a foundation for broader software supply chain security research.
Abstract
Modern software projects depend on many third-party libraries, complicating reproducible and secure builds. Several package managers address this with the generation of a lockfile that freezes dependency versions and can be used to verify the integrity of dependencies. Yet, Maven, one of the most important package managers in the Java ecosystem, lacks native support for a lockfile. We present Maven-Lockfile to generate and update lockfiles, with support for rebuilding projects from past versions. Our lockfiles capture all direct and transitive dependencies with their checksums, enabling high integrity builds. Our evaluation shows that Maven-Lockfile can reproduce builds from historical commits and is able to detect tampered artifacts. With minimal configuration, Maven-Lockfile equips Java projects with modern build integrity and build reproducibility, and fosters future research on software supply chain security in Java.