Java on

Chainguard Libraries for Java overview

Tue, 25 Mar 2025 08:04:00 +0000

Introduction

Chainguard Libraries for Java provides enhanced security for the Java ecosystem by rebuilding popular Maven dependencies with the latest patches and comprehensive supply chain protection. As the first supported ecosystem in Chainguard Libraries, this service addresses critical vulnerabilities in the vast Java/JVM ecosystem that spans hundreds of projects from organizations like the Apache Software Foundation, Eclipse Foundation, and numerous independent maintainers.

Global configuration

Tue, 25 Mar 2025 08:04:00 +0000

Java and JVM library consumption in a large organization is typically managed by a repository manager. Commonly used repository manager applications are Cloudsmith, Google Artifact Registry, JFrog Artifactory, and Sonatype Nexus Repository. The repository manager acts as a single point of access for developers and development tools to retrieve the required libraries.

At a high level, adopting the use of Chainguard Libraries consists of the following steps:

Add Chainguard Libraries as a remote repository for library retrieval.
Configure the Chainguard Libraries repository as the first choice for any library access. This ensures that any future requests of new libraries access the version supplied by Chainguard. Typically this is accomplished by creating a group repository or virtual repository that combines the repository with other external and internal repositories.

Additional steps depend on the desired insights and can include the following optional measures:

Build configuration

Tue, 25 Mar 2025 08:04:00 +0000

The configuration for the use of Chainguard Libraries depends on your build tools, continuous integration, and continuous deployment setups

At a high level adopting the use of Chainguard Libraries consists of the following steps:

Remove local caches on workstations and CI/CD pipelines. This step ensures that any libraries that were already sourced from other repositories are requested again and the version from Chainguard Libraries is used instead of other binaries.
Change configuration to access Chainguard Libraries via your repository manager after the changes from the global configuration are implemented.

These changes must be performed on all workstations of individual developers and other engineers running relevant application builds. They must also be performed on any build server such as Jenkins, TeamCity, GitHub or other infrastructure that builds the applications or otherwise downloads and uses relevant libraries.

Management and maintenance

Tue, 25 Mar 2025 08:04:00 +0000

Chainguard Libraries for Java operates transparently after completing the global configuration and build configuration, automatically providing security-enhanced versions of your Maven dependencies. New artifacts and versions are retrieved from Chainguard’s hardened repository when available, while Maven Central and other configured repositories provide fallback access to ensure continuous development workflow without interruption.

The following sections detail optional management, maintenance, and auditing steps on the repository manager and the build tool.

Source verification

Use chainver to verify that a specific library or file originates from Chainguard in an automated fashion or follow the steps in this section for manual verification.