Chainguard Libraries for Java

The May 2025 Learning Lab with Manfred Moser covers Chainguard Libraries for Java. It starts with an overview about libraries and the Java ecosystem and progresses to a demo with Apache Maven and Sonatype Nexus.

Sections

• 0:00 Introduction and agenda
• 2:38 Chainguard and containers
• 3:47 Chainguard Factory
• 4:57 Concepts - from containers to libraries
• 9:00 Java and Java libraries
• 12:45 Software supply chain of libraries and attacks
• 19:27 Dependency supply in Java
• 20:30 Repository concept and Maven Central
• 24:32 Chainguard Libraries for Java and repository manager intro
• 28:17 Developer tools
• 29:21 Demo start and setup with chainctl
• 32:55 Sonatype Nexus configuration
• 37:30 Maven configuration
• 40:41 Example project setup, build, and results
• 44:57 Dependency list and tree
• 47:00 Results and verification
• 49:37 Summary
• 50:43 Up next
• 52:55 Questions

Demo

Following are some of the commands used in the demo. More information can be found in the slide deck, the linked resources, and the video.

Creating a pull token:

chainctl auth login

chainctl libraries entitlements list

chainctl auth pull-token --library-ecosystem=java --ttl=1h

Cleaning up the local Maven repository cache:

rm -rf ~/.m2/repository

Building Trino Gateway from source and looking at dependencies:

cd trino-gateway

./mvnw clean install -DskipTests=true

./mvnw dependency:list

./mvnw dependency:tree

Reesource Links

• Chainguard Libraries
• Chainguard Libraries documentation
• Chainguard Libraries for Java documentation
• Slide deck
• Apache Maven
• Sonatype Nexus Repository
• Apache Maven dependency plugin