fix: sort Java properties

ppkarwasz · ppkarwasz · commit 2cac4bd5ed23 · 2026-04-20T15:22:31.000+02:00
diff --git a/src/main/java/org/apache/commons/release/plugin/internal/BuildDefinitions.java b/src/main/java/org/apache/commons/release/plugin/internal/BuildDefinitions.java
@@ -26,6 +26,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Properties;
+import java.util.TreeMap;
 
 import org.apache.commons.release.plugin.slsa.v1_2.ResourceDescriptor;
 import org.apache.maven.execution.MavenExecutionRequest;
@@ -86,15 +87,11 @@ public static Map<String, Object> externalParameters(final MavenSession session)
      */
     public static ResourceDescriptor jvm(final Path javaHome) throws IOException {
         final String[] propertyNames = {
-            "java.version", "java.version.date",
-            "java.vendor", "java.vendor.url", "java.vendor.version",
-            "java.home",
-            "java.vm.specification.version", "java.vm.specification.vendor", "java.vm.specification.name",
-            "java.vm.version", "java.vm.vendor", "java.vm.name",
-            "java.specification.version", "java.specification.maintenance.version",
-            "java.specification.vendor", "java.specification.name",
+                "java.home", "java.specification.maintenance.version", "java.specification.name", "java.specification.vendor", "java.specification.version",
+                "java.vendor", "java.vendor.url", "java.vendor.version", "java.version", "java.version.date", "java.vm.name", "java.vm.specification.name",
+                "java.vm.specification.vendor", "java.vm.specification.version", "java.vm.vendor", "java.vm.version"
         };
-        final Map<String, Object> annotations = new HashMap<>();
+        final Map<String, Object> annotations = new TreeMap<>();
         for (final String prop : propertyNames) {
             annotations.put(prop.substring("java.".length()), System.getProperty(prop));
         }
diff --git a/src/site/markdown/slsa/v0.1.0.md b/src/site/markdown/slsa/v0.1.0.md
@@ -77,22 +77,22 @@ The following annotations are recorded from [
 
 | Annotation key                      | System property                          | Description                                                              |
 |-------------------------------------|------------------------------------------|--------------------------------------------------------------------------|
-| `version`                           | `java.version`                           | Java Runtime Environment version.                                        |
-| `version.date`                      | `java.version.date`                      | Java Runtime Environment version date, in ISO-8601 YYYY-MM-DD format.    |
+| `home`                              | `java.home`                              | Java installation directory.                                             |
+| `specification.maintenance.version` | `java.specification.maintenance.version` | Java Runtime Environment specification maintenance version _(optional)_. |
+| `specification.name`                | `java.specification.name`                | Java Runtime Environment specification name.                             |
+| `specification.vendor`              | `java.specification.vendor`              | Java Runtime Environment specification vendor.                           |
+| `specification.version`             | `java.specification.version`             | Java Runtime Environment specification version.                          |
 | `vendor`                            | `java.vendor`                            | Java Runtime Environment vendor.                                         |
 | `vendor.url`                        | `java.vendor.url`                        | Java vendor URL.                                                         |
 | `vendor.version`                    | `java.vendor.version`                    | Java vendor version _(optional)_.                                        |
-| `home`                              | `java.home`                              | Java installation directory.                                             |
-| `vm.specification.version`          | `java.vm.specification.version`          | Java Virtual Machine specification version.                              |
-| `vm.specification.vendor`           | `java.vm.specification.vendor`           | Java Virtual Machine specification vendor.                               |
+| `version`                           | `java.version`                           | Java Runtime Environment version.                                        |
+| `version.date`                      | `java.version.date`                      | Java Runtime Environment version date, in ISO-8601 YYYY-MM-DD format.    |
+| `vm.name`                           | `java.vm.name`                           | Java Virtual Machine implementation name.                                |
 | `vm.specification.name`             | `java.vm.specification.name`             | Java Virtual Machine specification name.                                 |
-| `vm.version`                        | `java.vm.version`                        | Java Virtual Machine implementation version.                             |
+| `vm.specification.vendor`           | `java.vm.specification.vendor`           | Java Virtual Machine specification vendor.                               |
+| `vm.specification.version`          | `java.vm.specification.version`          | Java Virtual Machine specification version.                              |
 | `vm.vendor`                         | `java.vm.vendor`                         | Java Virtual Machine implementation vendor.                              |
-| `vm.name`                           | `java.vm.name`                           | Java Virtual Machine implementation name.                                |
-| `specification.version`             | `java.specification.version`             | Java Runtime Environment specification version.                          |
-| `specification.maintenance.version` | `java.specification.maintenance.version` | Java Runtime Environment specification maintenance version _(optional)_. |
-| `specification.vendor`              | `java.specification.vendor`              | Java Runtime Environment specification vendor.                           |
-| `specification.name`                | `java.specification.name`                | Java Runtime Environment specification name.                             |
+| `vm.version`                        | `java.vm.version`                        | Java Virtual Machine implementation version.                             |
 
 #### Maven
 
@@ -154,10 +154,12 @@ By default, every subject carries `md5`, `sha1`, `sha256` and `sha512` digests.
 
 The following is the bare attestation statement produced for the `commons-text` 1.4 release
 (abridged: most subjects are elided, and the JDK annotations trimmed). The full fixture lives at
-[`src/test/resources/attestations/commons-text-1.4.intoto.json`](https://github.com/apache/commons-release-plugin/blob/main/src/test/resources/attestations/commons-text-1.4.intoto.json)
+[
+`src/test/resources/attestations/commons-text-1.4.intoto.json`](https://github.com/apache/commons-release-plugin/blob/main/src/test/resources/attestations/commons-text-1.4.intoto.json)
 in the plugin source tree.
 
-The statement shown below is wrapped in a [DSSE envelope](https://github.com/secure-systems-lab/dsse/blob/master/envelope.md)
+The statement shown below is wrapped in
+a [DSSE envelope](https://github.com/secure-systems-lab/dsse/blob/master/envelope.md)
 signed with the release manager's OpenPGP key, and the `.intoto.jsonl` file deployed to Maven Central
 contains that envelope.
 
@@ -191,8 +193,12 @@ contains that envelope.
     "buildDefinition": {
       "buildType": "https://commons.apache.org/builds/0.1.0",
       "externalParameters": {
-        "maven.goals": ["deploy"],
-        "maven.profiles": ["release"],
+        "maven.goals": [
+          "deploy"
+        ],
+        "maven.profiles": [
+          "release"
+        ],
         "maven.user.properties": {
           "gpg.keyname": "3C8D57E0A2B5C6D7E8F9A0B1C2D3E4F5A6B7C8D9"
         },
@@ -212,21 +218,25 @@ contains that envelope.
         // JDK that ran the build
         {
           "name": "JDK",
-          "digest": { "gitTree": "bdb67e47c1b7df9c35ae045f29a348bb5bd32dc3" },
+          "digest": {
+            "gitTree": "bdb67e47c1b7df9c35ae045f29a348bb5bd32dc3"
+          },
           "annotations": {
-            "vendor": "Eclipse Adoptium",
-            "vendor.version": "Temurin-25.0.2+10",
-            "version": "25.0.2",
-            "vm.name": "OpenJDK 64-Bit Server VM",
-            "vm.version": "25.0.2+10-LTS"
+            "home": "/usr/lib/jvm/temurin-25-jdk-amd64",
+            "specification.maintenance.version": null,
+            "specification.name": "Java Platform API Specification",
+            "specification.vendor": "Oracle Corporation",
+            "specification.version": "25",
             // … remaining java.* system properties elided …
           }
         },
         // Maven installation
         {
           "name": "Maven",
           "uri": "pkg:maven/org.apache.maven/apache-maven@3.9.12",
-          "digest": { "gitTree": "3cdb4a67690dc18373f70ead98dc86567cc5ad67" },
+          "digest": {
+            "gitTree": "3cdb4a67690dc18373f70ead98dc86567cc5ad67"
+          },
           "annotations": {
             "distributionId": "apache-maven",
             "distributionName": "Apache Maven",
@@ -238,7 +248,9 @@ contains that envelope.
         // Source revision (branch or tag at release time)
         {
           "uri": "git+https://github.com/apache/commons-text.git@rel/commons-text-1.4",
-          "digest": { "gitCommit": "f519b3670795da3fb4f43b6af1f727eadf8e6800" }
+          "digest": {
+            "gitCommit": "f519b3670795da3fb4f43b6af1f727eadf8e6800"
+          }
         }
       ]
     },
diff --git a/src/test/resources/attestations/commons-text-1.4.intoto.json b/src/test/resources/attestations/commons-text-1.4.intoto.json
@@ -133,22 +133,22 @@
             "gitTree": "bdb67e47c1b7df9c35ae045f29a348bb5bd32dc3"
           },
           "annotations": {
-            "vendor.version": "Temurin-25.0.2+10",
+            "home": "/usr/lib/jvm/temurin-25-jdk-amd64",
+            "specification.maintenance.version": null,
             "specification.name": "Java Platform API Specification",
             "specification.vendor": "Oracle Corporation",
-            "vm.version": "25.0.2+10-LTS",
-            "version": "25.0.2",
-            "version.date": "2026-01-20",
-            "vm.specification.vendor": "Oracle Corporation",
-            "home": "/usr/lib/jvm/temurin-25-jdk-amd64",
+            "specification.version": "25",
             "vendor": "Eclipse Adoptium",
-            "vm.vendor": "Eclipse Adoptium",
             "vendor.url": "https://adoptium.net/",
-            "specification.maintenance.version": null,
-            "vm.specification.version": "25",
+            "vendor.version": "Temurin-25.0.2+10",
+            "version": "25.0.2",
+            "version.date": "2026-01-20",
             "vm.name": "OpenJDK 64-Bit Server VM",
             "vm.specification.name": "Java Virtual Machine Specification",
-            "specification.version": "25"
+            "vm.specification.vendor": "Oracle Corporation",
+            "vm.specification.version": "25",
+            "vm.vendor": "Eclipse Adoptium",
+            "vm.version": "25.0.2+10-LTS"
           }
         },
         {
