Hi dev list, I'd like to propose a small enhancement to the maven-dependency-plugin. >From a Software Composition Analysis (SCA) and security perspective, it's crucial to verify the exact artifact that has been resolved during a build. Private or third-party repositories may provide artifacts that have been patched or altered but retain the same GAV (GroupId, ArtifactId, Version) coordinates. This makes identifying the specific artifact provenance a challenge.
Would the team consider adding an optional flag (e.g., -DshowChecksums) to commands like dependency:tree and dependency:list that would display the SHA-1 hash of the resolved artifact? This would provide a simple, standardized way to verify artifact integrity without relying on third-party plugins, which are often restricted in corporate environments. Is this functionality something that would be within the scope of the maven-dependency-plugin, or would it be better suited for another plugin or Maven core itself? Thanks, Calum
