You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
🧰 Demo: Converting a Java App to Use Chainguard Libraries
24
+
25
+
This demo walks through taking an existing sample Java application and rebuilding it using Chainguard Libraries for Java.
26
+
We’ll demonstrate how to transition from using Maven Central to Chainguard’s trusted library source — without modifying your source code or build process — while gaining improved security and provenance.
27
+
28
+
To keep everything portable and reproducible, the demo uses containerized builds rather than local Maven setups.
29
+
30
+
The application is a simple Java Spring Boot application that returns a string when a post is sent.
- Rebuild the same application using Chainguard Libraries for Java, keeping the same upstream Maven and Temurin containers.
40
+
- Demonstrate that switching dependency sources has no impact on functionality.
41
+
- Re-scan the image to show that dependencies are now covered by Chainguard’s verified library set.
42
+
43
+
3. Chainguard Build & Runtime Containers:
44
+
- Rebuild and run the application using both Chainguard’s build and runtime container images together with Chainguard Libraries.
45
+
- Perform a final scan to confirm full coverage from Chainguard’s trusted ecosystem and show that the application still functions as expected.
46
+
47
+
4. Lastly we will look at how to view provenance for Chainguard Libraries for Java. We will look at an SBOM for one of the dependencies and discuss some key attributes.
banner "Step 1: Build and run using upstream Java images and Maven Central - Let's get a baseline by building our app as is, without using Chainguard Libraries"
71
+
72
+
pei "# We will build a sample Java app using Maven Central for dependencies and the upstream maven image."
73
+
pei "# Lets take a look at the pom file first, if you focus on the dependencies you'll see some standard spring boot dependencies are needed for the build:"
74
+
pe "awk '/<dependencies>/,/<\/dependencies>/' pom.xml"
75
+
pei ""
76
+
77
+
p "# Let's take a look at the dockerfile:"
78
+
pei 'cat Dockerfile'
79
+
pei ""
80
+
81
+
p '# Now lets set our builder and runtime image and build the project. This is a simple spring boot app that returns a sting when sending a request.'
banner "Step 2: Build using Chainguard Libraries with upstream Maven and Temurin Images."
108
+
109
+
p "# In order to use Chainguard Libraries for Java to build our app, we will need to create a pull token for the Java ecosystem. Press enter to create your token."
pe "# Now that we have our credentials we need to create a settings.xml file to configure it to use the Chainguard repo, notice that we are referencing our credentials in the file as environment variables:"
115
+
pei 'cat settings.xml'
116
+
pei ""
117
+
118
+
119
+
pe '# Now lets set our tag, builder and runtime image and build the same app as before but using chainguard libraries.'
120
+
pei "TAG=\"upstream-cg-libs\""
121
+
pei "BUILDER_IMAGE=\"maven\""
122
+
pei "RUNTIME_IMAGE=\"eclipse-temurin\""
123
+
124
+
pe "# Lets take a look at the dockerfile as it is slightly different from before, notice that we will be passing in our credentials as build secrets so that they are not stored in the layers or in the builder logs:"
125
+
pei 'cat ../step2-cg-build/Dockerfile'
126
+
pei ""
127
+
128
+
pei "# Below is the command we will use to build the image, notice we are passing in the credentials as build secrets."
pei "# Each Java dependency built by Chainguard is accompanied by an SBOM, the SBOMs are published alongside each artifact as an SPDX JSON file named artifactId-version.spdx.json in the Chainguard Maven Repository."
192
+
pei '# Chainver compares the package checksum with the one listed in the SBOM to determine if the package was built by Chainguard or not. Lets take a look at the SBOM for the spring-boot-starter-web dependency, we will start by downloading the SBOM from the Chainguard Maven repository:'
0 commit comments