fossabot customers have overwhelmingly requested support for Java dependency upgrades — now it’s here!
Java joins JavaScript/TypeScript as strongly supported across dependency analysis, intelligent strategic upgrades, and SAST code review.
For context, Python, Golang, Ruby, and Rust are beta-quality for dependency upgrades, with lots of forward progress happening, and all are strongly supported for SAST reviews.
fossabot proposed update for a Java project
Supporting Gradle/Maven & Kotlin Codebases
fossabot supports codebases using Gradle and Maven for package management. Private code mirrors can be configured in addition to Maven Central.
For Gradle, fossabot handles both single and multi-module projects. Kotlin DSL is also supported.
Dynamic features of Gradle will follow later on, such as:
- Variable interpolation (
${version}) - Version catalog references as dependencies (
libs.slf4j.api) - Map notation dependencies
- BOM-managed versionless dependencies
- Conditional or dynamic version selectors
Get in touch with the team if you have questions about proper support for your codebases.
Measuring Accuracy, Consistency, and Correctness for Java
We’ve previously discussed fossabot’s evaluation framework that measures accuracy, consistency, and correctness, in addition to protecting us from regressions related to the continuous AI model development.
For our Java ecosystems, we’ve built out our initial set of “ground truth” data and will continue to expand it. Our ground truth is a set of dependency upgrades of varying complexity and size that are processed to pull out the important feature changes, deprecations, security fixes, and breaking changes and verify them against a sample codebase.
Determining the Correct Verdict
The evaluation framework’s most important metric is our verdict classification: if an upgrade is deemed safe and risk free, do we correctly classify that with both accuracy and consistency? As we’ve covered before, fossabot sides toward conservative on these determinations, so we are very happy with these first results:
| Accuracy | Precision | Recall | F1 Score |
|---|---|---|---|
| 86.7% | 87.5% | 87.5% | 87.5% |
Codebases and dependencies vary in complexity of course, so we’re continually updating this ground truth with our own research and customer-contributed edge cases.
Try Out fossabot
fossabot is available as a GitHub app. Every user gets $15 of analysis credit, replenished every month. Let loose the updates!
Reach out to get a demo of fossabot, and let's figure out how to get your teams caught up on updates.