Skip to content

👷 ci: add [email protected] to code quality workflow #1134

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 44 commits into
base: main
Choose a base branch
from
Open

👷 ci: add [email protected] to code quality workflow #1134

wants to merge 44 commits into from

Conversation

randomicecube
Copy link

@randomicecube randomicecube commented Mar 21, 2025
edited
Loading

@randomicecube randomicecube self-assigned this Mar 21, 2025
@randomicecube
Copy link
Author

randomicecube commented Mar 21, 2025
edited
Loading

cc @algomaster99 @LogFlames @monperrus
now the workflow should hopefully run without issues!
EDIT: yup, it did!

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 21, 2025
edited
Loading

Software Supply Chain Report of chains-project/maven-lockfile - 32bbb53

Enabled Checks

The following checks were specifically requested:

  • Source Code: source_code
  • Source Code Sha: source_code_sha
  • Deprecated: deprecated
  • Provenance: provenance
  • Code Signature: code_signature
  • Aliased Packages: aliased_packages
How to read the results 📖

Dirty-waters has analyzed your project dependencies and found different categories for each of them:

  • ⚠️⚠️⚠️ : high severity

  • ⚠️⚠️: medium severity

  • ⚠️: low severity

Total packages in the supply chain: 466

❗ Packages with no source code URL (⚠️⚠️⚠️): 0

⛔ Packages with repo URL that is 404 (⚠️⚠️⚠️): 0

🔧 Packages with inaccessible commit SHA/tag (⚠️⚠️): 75

🔒 Packages without code signature (⚠️⚠️): 1

🔓 Packages with invalid code signature (⚠️⚠️): 0

Fine grained information

🐬 For further information about software supply chain smells in your project, take a look at the following tables.
All analyzed packages have a source code repo.

List of packages with available source code repos but with inaccessible commit SHAs/tags(75)
package_name sha_exists tag_version is_sha sha tag_url message status_code_for_sha parent command
commons-codec:[email protected] False 1.17.1 False Tag 1.17.1 not found in the repo 404 org.cyclonedx:[email protected] resolve-plugins
commons-io:[email protected] False 2.18.0 False Tag 2.18.0 not found in the repo 404 org.codehaus.gmavenplus:[email protected] resolve-plugins
org.eclipse.sisu:[email protected] False 0.9.0.M3 False Tag 0.9.0.M3 not found in the repo 404 io.quarkus:[email protected] tree
org.eclipse.sisu:[email protected] False 0.9.0.M3 False Tag 0.9.0.M3 not found in the repo 404 io.quarkus:[email protected] tree
org.apache.maven.doxia:[email protected] False 1.11.1 False Tag 1.11.1 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
org.apache.commons:[email protected] False 3.8.1 False Tag 3.8.1 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
org.apache.httpcomponents:[email protected] False 4.5.13 False Tag 4.5.13 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
org.apache.httpcomponents:[email protected] False 4.4.14 False Tag 4.4.14 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
org.apache.maven.doxia:[email protected] False 1.11.1 False Tag 1.11.1 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
org.apache.maven.doxia:[email protected] False 1.11.1 False Tag 1.11.1 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
commons-io:[email protected] False 2.16.1 False Tag 2.16.1 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
org.apache.commons:[email protected] False 4.4 False Tag 4.4 not found in the repo 404 io.quarkus.platform:[email protected] resolve-plugins
org.apache.commons:[email protected] False 3.17.0 False Tag 3.17.0 not found in the repo 404 org.kohsuke:[email protected] tree
commons-codec:[email protected] False 1.18.0 False Tag 1.18.0 not found in the repo 404 io.smallrye.beanbag:[email protected] tree
org.apache.httpcomponents:[email protected] False 4.5.14 False Tag 4.5.14 not found in the repo 404 io.smallrye.beanbag:[email protected] tree
org.apache.httpcomponents:[email protected] False 4.4.16 False Tag 4.4.16 not found in the repo 404 io.smallrye.beanbag:[email protected] tree
com.google.guava:[email protected] False 33.4.8-jre False Tag 33.4.8-jre not found in the repo 404 org.apache.maven:[email protected] tree
commons-cli:[email protected] False 1.8.0 False Tag 1.8.0 not found in the repo 404 org.apache.maven:[email protected] tree
org.aesh:[email protected] False 2.8.2 False Tag 2.8.2 not found in the repo 404 io.quarkus:[email protected] tree
io.github.crac:[email protected] False 0.1.3 False Tag 0.1.3 not found in the repo 404 io.quarkus:[email protected] tree
org.junit.platform:[email protected] False 1.12.2 False Tag 1.12.2 not found in the repo 404 io.quarkus:[email protected] tree
org.junit.platform:[email protected] False 1.12.2 False Tag 1.12.2 not found in the repo 404 org.junit.jupiter:[email protected] tree
org.junit.platform:[email protected] False 1.12.2 False Tag 1.12.2 not found in the repo 404 org.junit.jupiter:[email protected] tree
commons-io:[email protected] False 2.19.0 False Tag 2.19.0 not found in the repo 404 io.quarkus:[email protected] tree
org.apache.commons:[email protected] False 1.27.1 False Tag 1.27.1 not found in the repo 404 io.quarkus.platform:[email protected] resolve-plugins
org.jdom:[email protected] False 2.0.6.1 False Tag 2.0.6.1 not found in the repo 404 io.quarkus.platform:[email protected] resolve-plugins
jakarta.el:[email protected] False 5.0.1 False Tag 5.0.1 not found in the repo 404 jakarta.enterprise:[email protected] tree
jakarta.interceptor:[email protected] False 2.2.0 False Tag 2.2.0 not found in the repo 404 jakarta.enterprise:[email protected] tree
jakarta.json:[email protected] False 2.1.3 False Tag 2.1.3 not found in the repo 404 io.smallrye:[email protected] tree
org.twdata.maven:[email protected] False 2.4.0 False Tag 2.4.0 not found in the repo 404 io.quarkus.platform:[email protected] resolve-plugins
org.jboss.slf4j:[email protected] False 2.0.0.Final False Tag 2.0.0.Final not found in the repo 404 io.quarkus:[email protected] tree
org.apache.commons:[email protected] False 1.26.2 False Tag 1.26.2 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
commons-codec:[email protected] False 1.17.0 False Tag 1.17.0 not found in the repo 404 com.diffplug.spotless:[email protected] resolve-plugins
org.apache.commons:[email protected] False 3.14.0 False Tag 3.14.0 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
commons-io:[email protected] False 2.11.0 False Tag 2.11.0 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
org.apache.commons:[email protected] False 1.26.1 False Tag 1.26.1 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
commons-codec:[email protected] False 1.16.1 False Tag 1.16.1 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
com.google.protobuf:[email protected] False 4.29.3 False Tag 4.29.3 not found in the repo 404 dev.sigstore:[email protected] resolve-plugins
com.google.protobuf:[email protected] False 4.29.3 False Tag 4.29.3 not found in the repo 404 dev.sigstore:[email protected] resolve-plugins
com.google.guava:[email protected] False 32.0.1-jre False Tag 32.0.1-jre not found in the repo 404 dev.sigstore:[email protected] resolve-plugins
com.google.guava:[email protected] False 9999.0-empty-to-avoid-conflict-with-guava False Tag 9999.0-empty-to-avoid-conflict-with-guava not found in the repo 404 dev.sigstore:[email protected] resolve-plugins
commons-codec:[email protected] False 1.17.2 False Tag 1.17.2 not found in the repo 404 dev.sigstore:[email protected] resolve-plugins
com.google.code.gson:[email protected] False 2.12.1 False Tag 2.12.1 not found in the repo 404 dev.sigstore:[email protected] resolve-plugins
org.bouncycastle:[email protected] False 1.80 False Tag 1.80 not found in the repo 404 dev.sigstore:[email protected] resolve-plugins
org.bouncycastle:[email protected] False 1.80 False Tag 1.80 not found in the repo 404 dev.sigstore:[email protected] resolve-plugins
org.bouncycastle:[email protected] False 1.80 False Tag 1.80 not found in the repo 404 dev.sigstore:[email protected] resolve-plugins
org.bouncycastle:[email protected] False 1.78.1 False Tag 1.78.1 not found in the repo 404 dev.sigstore:[email protected] resolve-plugins
org.apache.commons:[email protected] False 1.12.0 False Tag 1.12.0 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
org.apache.maven.doxia:[email protected] False 2.0.0 False Tag 2.0.0 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
org.apache.maven.doxia:[email protected] False 2.0.0 False Tag 2.0.0 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
org.apache.maven.doxia:[email protected] False 2.0.0 False Tag 2.0.0 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
org.apache.maven.doxia:[email protected] False 2.0.0 False Tag 2.0.0 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
org.eclipse.jetty:[email protected] False 9.4.56.v20240826 False Tag 9.4.56.v20240826 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
org.eclipse.jetty:[email protected] False 9.4.56.v20240826 False Tag 9.4.56.v20240826 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
org.eclipse.jetty:[email protected] False 9.4.56.v20240826 False Tag 9.4.56.v20240826 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
org.eclipse.jetty:[email protected] False 9.4.56.v20240826 False Tag 9.4.56.v20240826 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
org.eclipse.jetty:[email protected] False 9.4.56.v20240826 False Tag 9.4.56.v20240826 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
org.eclipse.jetty:[email protected] False 9.4.56.v20240826 False Tag 9.4.56.v20240826 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
org.eclipse.jetty:[email protected] False 9.4.56.v20240826 False Tag 9.4.56.v20240826 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
org.eclipse.jetty:[email protected] False 9.4.56.v20240826 False Tag 9.4.56.v20240826 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
org.eclipse.jetty:[email protected] False 9.4.56.v20240826 False Tag 9.4.56.v20240826 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
com.diffplug.spotless:[email protected] False 2.44.4 False Tag 2.44.4 not found in the repo 404 com.diffplug.spotless:[email protected] resolve-plugins
com.diffplug.spotless:[email protected] False 3.1.1 False Tag 3.1.1 not found in the repo 404 com.diffplug.spotless:[email protected] resolve-plugins
com.diffplug.spotless:[email protected] False 3.1.1 False Tag 3.1.1 not found in the repo 404 com.diffplug.spotless:[email protected] resolve-plugins
dev.equo.ide:[email protected] False 1.8.1 False Tag 1.8.1 not found in the repo 404 com.diffplug.spotless:[email protected] resolve-plugins
org.jetbrains:[email protected] False 13.0 False Tag 13.0 not found in the repo 404 com.diffplug.spotless:[email protected] resolve-plugins
org.eclipse.platform:[email protected] False 3.23.0 False Tag 3.23.0 not found in the repo 404 com.diffplug.spotless:[email protected] resolve-plugins
com.diffplug.durian:[email protected] False 1.2.0 False Tag 1.2.0 not found in the repo 404 com.diffplug.spotless:[email protected] resolve-plugins
com.diffplug.durian:[email protected] False 1.2.0 False Tag 1.2.0 not found in the repo 404 com.diffplug.spotless:[email protected] resolve-plugins
com.diffplug.durian:[email protected] False 1.2.0 False Tag 1.2.0 not found in the repo 404 com.diffplug.spotless:[email protected] resolve-plugins
org.apache.commons:[email protected] False 3.12.0 False Tag 3.12.0 not found in the repo 404 org.apache.maven.plugins:[email protected] resolve-plugins
io.vertx:[email protected] False 4.5.14 False Tag 4.5.14 not found in the repo 404 io.smallrye:[email protected] tree
io.vertx:[email protected] False 4.5.14 False Tag 4.5.14 not found in the repo 404 io.vertx:[email protected] tree
io.vertx:[email protected] False 4.5.14 False Tag 4.5.14 not found in the repo 404 io.vertx:[email protected] tree
io.vertx:[email protected] False 4.5.14 False Tag 4.5.14 not found in the repo 404 io.vertx:[email protected] tree

The package manager (maven) does not support checking for deprecated packages.

List of packages without code signature(1)
package_name signature_present parent command
com.kohlschutter.junixsocket:[email protected] False dev.sigstore:[email protected] resolve-plugins

All packages have valid code signature.

The package manager (maven) does not support checking for provenance.

The package manager (maven) does not support checking for aliased packages.

Call to Action:

👻What do I do now?

For packages without source code & accessible SHA/release tags:

  • Why? Missing or inaccessible source code makes it impossible to audit the package for security vulnerabilities or malicious code.
  1. Pull Request to the maintainer of dependency, requesting correct repository metadata and proper versioning/tagging.

For deprecated packages:

  • Why? Deprecated packages may contain known security issues and are no longer maintained, putting your project at risk.
  1. Confirm the maintainer's deprecation intention
  2. Check for not deprecated versions

For packages without code signature:

  • Why? Code signatures help verify the authenticity and integrity of the package, ensuring it hasn't been tampered with.
  1. Open an issue in the dependency's repository to request the inclusion of code signature in the CI/CD pipeline.

For packages with invalid code signature:

  • Why? Invalid signatures could indicate tampering or compromised build processes.
  1. It's recommended to verify the code signature and contact the maintainer to fix the issue.

For packages without provenance:

  • Why? Without provenance, there's no way to verify that the package was built from the claimed source code, making supply chain attacks possible.
  1. Open an issue in the dependency's repository to request the inclusion of provenance and build attestation in the CI/CD pipeline.

For packages that are aliased:

  • Why? Aliased packages may hide malicious dependencies under seemingly legitimate names.
  1. Check the aliased package and its repository to verify the alias is not malicious.

Notes

Other info:

  • Source code repo is not hosted on GitHub: 45

    This could be due, for example, to the package being hosted on a different platform.

    This does not mean that the source code URL is invalid.

    However, for non-GitHub repositories, not all checks can currently be performed.

index package_name github_url parent command
1 javax.inject:javax.inject@1 http://code.google.com/p/atinject/source/checkout io.smallrye.beanbag:[email protected] tree
2 org.apache.xbean:[email protected] http://svn.apache.org/viewvc/geronimo/xbean/tags/xbean-3.7/xbean-reflect org.apache.maven.plugins:[email protected] resolve-plugins
3 com.google.collections:[email protected] http://code.google.com/p/google-collections/source/browse/ org.apache.maven.plugins:[email protected] resolve-plugins
4 org.eclipse.aether:[email protected] http://git.eclipse.org/c/aether/aether-core.git/tree/aether-spi/ org.apache.maven.plugins:[email protected] resolve-plugins
5 org.eclipse.aether:[email protected] http://git.eclipse.org/c/aether/aether-core.git/tree/aether-impl/ org.apache.maven.plugins:[email protected] resolve-plugins
6 org.eclipse.aether:[email protected] http://git.eclipse.org/c/aether/aether-core.git/tree/aether-api/ org.apache.maven.plugins:[email protected] resolve-plugins
7 org.eclipse.aether:[email protected] http://git.eclipse.org/c/aether/aether-core.git/tree/aether-util/ org.apache.maven.plugins:[email protected] resolve-plugins
8 org.codehaus.plexus:[email protected] http://fisheye.codehaus.org/browse/plexus/plexus-containers/tags/plexus-containers-1.5.5/plexus-component-annotations org.apache.maven.plugins:[email protected] resolve-plugins
9 org.sonatype.plexus:[email protected] Could not find repo from package registry org.apache.maven.plugins:[email protected] resolve-plugins
10 org.sonatype.plexus:[email protected] Could not find repo from package registry org.apache.maven.plugins:[email protected] resolve-plugins
11 commons-logging:[email protected] http://svn.apache.org/repos/asf/commons/proper/logging/trunk org.apache.maven.plugins:[email protected] resolve-plugins
12 org.codehaus.plexus:[email protected] http://fisheye.codehaus.org/browse/plexus/plexus-components/tags/plexus-i18n-1.0-beta-10 org.apache.maven.plugins:[email protected] resolve-plugins
13 org.apache.velocity:[email protected] http://svn.apache.org/viewvc/velocity/engine/trunk org.apache.maven.plugins:[email protected] resolve-plugins
14 commons-lang:[email protected] http://svn.apache.org/viewvc/commons/proper/lang/trunk org.apache.maven.plugins:[email protected] resolve-plugins
15 org.apache.velocity:[email protected] http://svn.apache.org/repos/asf/velocity/tools/trunk org.apache.maven.plugins:[email protected] resolve-plugins
16 commons-beanutils:[email protected] Could not find repo from package registry org.apache.maven.plugins:[email protected] resolve-plugins
17 commons-digester:[email protected] http://svn.apache.org/repos/asf/jakarta/commons/proper/digester/trunk org.apache.maven.plugins:[email protected] resolve-plugins
18 commons-chain:[email protected] http://svn.apache.org/viewcvs.cgi org.apache.maven.plugins:[email protected] resolve-plugins
19 dom4j:[email protected] Could not find repo from package registry org.apache.maven.plugins:[email protected] resolve-plugins
20 oro:[email protected] Could not find repo from package registry org.apache.maven.plugins:[email protected] resolve-plugins
21 commons-collections:[email protected] http://svn.apache.org/viewvc/commons/proper/collections/trunk org.apache.maven.plugins:[email protected] resolve-plugins
22 org.yaml:[email protected] https://bitbucket.org/snakeyaml/snakeyaml/src org.cyclonedx:[email protected] resolve-plugins
23 org.ow2.asm:[email protected] https://gitlab.ow2.org/asm/asm/ org.cyclonedx:[email protected] resolve-plugins
24 aopalliance:[email protected] http://aopalliance.sourceforge.net com.google.inject:[email protected] tree
25 org.ow2.asm:[email protected] https://gitlab.ow2.org/asm/asm/ io.quarkus.gizmo:[email protected] tree
26 org.ow2.asm:[email protected] https://gitlab.ow2.org/asm/asm/ org.ow2.asm:[email protected] tree
27 org.ow2.asm:[email protected] https://gitlab.ow2.org/asm/asm/ io.quarkus:[email protected] tree
28 org.ow2.asm:[email protected] https://gitlab.ow2.org/asm/asm/ io.quarkus:[email protected] tree
29 org.ow2.asm:[email protected] https://gitlab.ow2.org/asm/asm/ org.ow2.asm:[email protected] tree
30 org.yaml:[email protected] https://bitbucket.org/snakeyaml/snakeyaml/src com.fasterxml.jackson.dataformat:[email protected] tree
31 org.ow2.asm:[email protected] https://gitlab.ow2.org/asm/asm/ org.apache.maven.plugins:[email protected] resolve-plugins
32 org.tukaani:[email protected] https://git.tukaani.org/?p=xz-java.git com.diffplug.spotless:[email protected] resolve-plugins
33 org.apache.ant:[email protected] https://gitbox.apache.org/repos/asf/ant.git/ant org.codehaus.gmavenplus:[email protected] resolve-plugins
34 org.apache.ant:[email protected] https://gitbox.apache.org/repos/asf/ant.git/ant-launcher org.codehaus.gmavenplus:[email protected] resolve-plugins
35 org.apache.ivy:[email protected] https://svn.apache.org/repos/asf/ant/ivy/core/trunk org.codehaus.gmavenplus:[email protected] resolve-plugins
36 org.apache.maven.shared:[email protected] http://svn.apache.org/viewvc/maven/shared/tags/maven-shared-incremental-1.1 org.apache.maven.plugins:[email protected] resolve-plugins
37 org.iq80.snappy:[email protected] Could not find repo from package registry org.apache.maven.plugins:[email protected] resolve-plugins
38 com.google.code.findbugs:[email protected] https://code.google.com/p/jsr-305/ dev.sigstore:[email protected] resolve-plugins
39 com.google.j2objc:[email protected] http://svn.sonatype.org/spice/trunk/oss/oss-parent-9/j2objc-annotations dev.sigstore:[email protected] resolve-plugins
40 com.google.android:[email protected] https://android.git.kernel.org/ dev.sigstore:[email protected] resolve-plugins
41 commons-beanutils:[email protected] http://svn.apache.org/viewvc/commons/proper/beanutils/tags/BEANUTILS_1_9_3_RC3 org.apache.maven.plugins:[email protected] resolve-plugins
42 org.apache.commons:[email protected] http://svn.apache.org/viewvc/commons/proper/digester/tags/DIGESTER3_3_2_RC2 org.apache.maven.plugins:[email protected] resolve-plugins
43 javax.servlet:[email protected] http://java.net/projects/glassfish/sources/svn/show/tags/javax.servlet-api-3.1.0 org.apache.maven.plugins:[email protected] resolve-plugins
44 org.eclipse.jgit:[email protected] https://git.eclipse.org/r/plugins/gitiles/jgit/jgit/org.eclipse.jgit com.diffplug.spotless:[email protected] resolve-plugins
45 org.sonatype.plexus:[email protected] http://svn.sonatype.org/spice/tags/plexus-build-api-0.0.7 org.apache.maven.plugins:[email protected] resolve-plugins

Report created by dirty-waters.

Report created on 2025-05-07 10:02:54

  • Tool version: 601adbfe
  • Project Name: chains-project/maven-lockfile
  • Project Version: 32bbb53
  • Package Manager: maven

@algomaster99
Copy link
Member

Same here chains-project/sbom.exe#317 (comment) unless Elias gets here first.

@LogFlames
Copy link
Member

Nice!

Looking at the deps with missing repo-urls I will have to hunt those down. For example oro:[email protected] is a transitive dependency of maven-artifact-plugin, but haven't found a way to find where it is exactly yet.

@LogFlames LogFlames mentioned this pull request Mar 25, 2025
Merged
@randomicecube
Copy link
Author

randomicecube commented Mar 26, 2025
edited
Loading

@LogFlames as a glimmer of hope, chains-project/dirty-waters#73 should be merged today and provide you with a lot more detail regarding where each package comes from :)
EDIT: done!

@LogFlames LogFlames mentioned this pull request Mar 26, 2025
Closed
6 tasks
@LogFlames
Copy link
Member

LogFlames commented Mar 26, 2025
edited
Loading

Nice! Very helpful to identify plugins which have a high number of broken dependencies ^^

Unfortunately oro:[email protected] (and I think some more) are transitive dependencies of maven-artifact-plugin as well :p

@LogFlames LogFlames changed the title chore: add [email protected] to code quality workflow 👷 ci: add [email protected] to code quality workflow Mar 26, 2025
@LogFlames LogFlames mentioned this pull request Mar 28, 2025
Closed
@LogFlames
Copy link
Member

@randomicecube does the workflow need to be triggered in some special way besides a new commit? Or maybe the cache nedes to be cleared?

I merged in main where I had removed maven-eclipse-plugin and some of the critical warnings are gone from the report. However, two still remain (org.sonatype.plexus:[email protected] and org.sonatype.plexus:[email protected]).

When running mvn dependency:resolve-plugins manually these are part of the dependency tree but not under maven-eclipse-plugin as currently stated in the report but instead under maven-artifact-plugin. From the output of resolve-plugins I don't see any maven-eclipse-plugin remaining.

@randomicecube
Copy link
Author

@randomicecube does the workflow need to be triggered in some special way besides a new commit? Or maybe the cache nedes to be cleared?

Maybe there's a cache issue, but it doesn't make a lot of sense to me -- between the latest and the second-to-last comment, there are 60 less packages in the supply chain, which I'm assuming are related with the changes coming from main? And maybe those then reflect on the less amount of warnings now?

I merged in main where I had removed maven-eclipse-plugin and some of the critical warnings are gone from the report. However, two still remain (org.sonatype.plexus:[email protected] and org.sonatype.plexus:[email protected]).
When running mvn dependency:resolve-plugins manually these are part of the dependency tree but not under maven-eclipse-plugin as currently stated in the report but instead under maven-artifact-plugin. From the output of resolve-plugins I don't see any maven-eclipse-plugin remaining.

Regarding this, that hadn't happened to me before (in fact, I vividly remember them being under maven-artifact-plugin, as you said); I will try and see what's going on, and update you afterward

@randomicecube
Copy link
Author

Hey @LogFlames I just ran the resolve-plugins goal locally and got the following:

image

Does the same happen to you? If so, this does seem to indicate that it makes sense for it to be connected to eclipse-plugin

@randomicecube randomicecube mentioned this pull request Mar 30, 2025
Open
6 tasks
@LogFlames
Copy link
Member

@randomicecube I don't get the same output, did you pull this branch after I merged in main where maven-eclipse-plugin had been removed?

This is my output:

mvn dependency:resolve-plugins 
[INFO] Scanning for projects...
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Build Order:
[INFO] 
[INFO] maven-lockfile-parent                                              [pom]
[INFO] maven-lockfile-plugin                                     [maven-plugin]
[INFO] maven-lockfile-github-action                                       [jar]
[INFO] 
[INFO] -----------< io.github.chains-project:maven-lockfile-parent >-----------
[INFO] Building maven-lockfile-parent 5.4.3-SNAPSHOT                      [1/3]
[INFO] --------------------------------[ pom ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:resolve-plugins (default-cli) @ maven-lockfile-parent ---
[INFO] Plugin Resolved: spotless-maven-plugin-2.44.3.jar
[INFO]     Plugin Dependency Resolved: spotless-lib-3.1.0.jar
[INFO]     Plugin Dependency Resolved: spotless-lib-extra-3.1.0.jar
[INFO]     Plugin Dependency Resolved: durian-core-1.2.0.jar
[INFO]     Plugin Dependency Resolved: durian-io-1.2.0.jar
[INFO]     Plugin Dependency Resolved: durian-collect-1.2.0.jar
[INFO]     Plugin Dependency Resolved: plexus-resources-1.3.0.jar
[INFO]     Plugin Dependency Resolved: org.eclipse.jgit-6.10.0.202406032230-r.jar
[INFO]     Plugin Dependency Resolved: plexus-build-api-0.0.7.jar
[INFO] Plugin Resolved: maven-artifact-plugin-3.6.0.jar
[INFO]     Plugin Dependency Resolved: maven-resolver-util-1.9.20.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.1.jar
[INFO]     Plugin Dependency Resolved: maven-shared-utils-3.4.2.jar
[INFO]     Plugin Dependency Resolved: maven-archiver-3.6.1.jar
[INFO]     Plugin Dependency Resolved: commons-codec-1.17.1.jar
[INFO]     Plugin Dependency Resolved: commons-io-2.18.0.jar
[INFO]     Plugin Dependency Resolved: doxia-sink-api-1.12.0.jar
[INFO]     Plugin Dependency Resolved: maven-reporting-impl-3.1.0.jar
[INFO] Plugin Resolved: maven-install-plugin-3.1.4.jar
[INFO]     Plugin Dependency Resolved: maven-resolver-util-1.9.22.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.1.jar
[INFO] Plugin Resolved: cyclonedx-maven-plugin-2.9.1.jar
[INFO]     Plugin Dependency Resolved: cyclonedx-core-java-9.0.5.jar
[INFO]     Plugin Dependency Resolved: commons-codec-1.17.1.jar
[INFO]     Plugin Dependency Resolved: commons-lang3-3.17.0.jar
[INFO]     Plugin Dependency Resolved: maven-dependency-tree-3.3.0.jar
[INFO]     Plugin Dependency Resolved: maven-dependency-analyzer-1.14.1.jar
[INFO] Plugin Resolved: maven-surefire-plugin-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-api-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-extensions-api-3.5.2.jar
[INFO]     Plugin Dependency Resolved: maven-surefire-common-3.5.2.jar
[INFO] Plugin Resolved: maven-clean-plugin-3.4.1.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO] Plugin Resolved: gmavenplus-plugin-4.1.1.jar
[INFO]     Plugin Dependency Resolved: maven-archiver-3.6.3.jar
[INFO]     Plugin Dependency Resolved: file-management-3.1.0.jar
[INFO]     Plugin Dependency Resolved: commons-io-2.14.0.jar
[INFO]     Plugin Dependency Resolved: jansi-2.4.1.jar
[INFO]     Plugin Dependency Resolved: jline-2.14.6.jar
[INFO]     Plugin Dependency Resolved: ant-1.10.15.jar
[INFO]     Plugin Dependency Resolved: ivy-2.5.2.jar
[INFO] Plugin Resolved: maven-compiler-plugin-3.14.0.jar
[INFO]     Plugin Dependency Resolved: maven-shared-utils-3.4.2.jar
[INFO]     Plugin Dependency Resolved: maven-shared-incremental-1.1.jar
[INFO]     Plugin Dependency Resolved: plexus-java-1.4.0.jar
[INFO]     Plugin Dependency Resolved: plexus-compiler-api-2.15.0.jar
[INFO]     Plugin Dependency Resolved: plexus-compiler-manager-2.15.0.jar
[INFO]     Plugin Dependency Resolved: plexus-compiler-javac-2.15.0.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO] Plugin Resolved: maven-jar-plugin-3.4.2.jar
[INFO]     Plugin Dependency Resolved: file-management-3.1.0.jar
[INFO]     Plugin Dependency Resolved: maven-archiver-3.6.2.jar
[INFO]     Plugin Dependency Resolved: plexus-archiver-4.9.2.jar
[INFO]     Plugin Dependency Resolved: javax.inject-1.jar
[INFO]     Plugin Dependency Resolved: slf4j-api-1.7.36.jar
[INFO] Plugin Resolved: maven-enforcer-plugin-3.5.0.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.0.jar
[INFO]     Plugin Dependency Resolved: enforcer-api-3.5.0.jar
[INFO]     Plugin Dependency Resolved: enforcer-rules-3.5.0.jar
[INFO] Plugin Resolved: maven-site-plugin-3.21.0.jar
[INFO]     Plugin Dependency Resolved: maven-reporting-api-4.0.0.jar
[INFO]     Plugin Dependency Resolved: maven-reporting-exec-2.0.0.jar
[INFO]     Plugin Dependency Resolved: maven-shared-utils-3.4.2.jar
[INFO]     Plugin Dependency Resolved: maven-archiver-3.6.2.jar
[INFO]     Plugin Dependency Resolved: plexus-archiver-4.10.0.jar
[INFO]     Plugin Dependency Resolved: plexus-i18n-1.0-beta-10.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.1.jar
[INFO]     Plugin Dependency Resolved: doxia-sink-api-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-core-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-xhtml5-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-apt-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-xdoc-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-fml-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-markdown-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-site-model-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-site-renderer-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-integration-tools-2.0.0.jar
[INFO]     Plugin Dependency Resolved: commons-lang3-3.17.0.jar
[INFO]     Plugin Dependency Resolved: jetty-server-9.4.56.v20240826.jar
[INFO]     Plugin Dependency Resolved: jetty-http-9.4.56.v20240826.jar
[INFO]     Plugin Dependency Resolved: jetty-servlet-9.4.56.v20240826.jar
[INFO]     Plugin Dependency Resolved: jetty-webapp-9.4.56.v20240826.jar
[INFO]     Plugin Dependency Resolved: jetty-util-9.4.56.v20240826.jar
[INFO] Plugin Resolved: maven-resources-plugin-3.3.1.jar
[INFO]     Plugin Dependency Resolved: plexus-interpolation-1.26.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-3.5.1.jar
[INFO]     Plugin Dependency Resolved: maven-filtering-3.3.1.jar
[INFO]     Plugin Dependency Resolved: commons-io-2.11.0.jar
[INFO]     Plugin Dependency Resolved: commons-lang3-3.12.0.jar
[INFO] Plugin Resolved: maven-deploy-plugin-3.1.4.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.1.jar
[INFO]     Plugin Dependency Resolved: maven-resolver-util-1.9.22.jar
[INFO] 
[INFO] --------------< io.github.chains-project:maven-lockfile >---------------
[INFO] Building maven-lockfile-plugin 5.4.3-SNAPSHOT                      [2/3]
[INFO] ----------------------------[ maven-plugin ]----------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:resolve-plugins (default-cli) @ maven-lockfile ---
[INFO] Plugin Resolved: spotless-maven-plugin-2.44.3.jar
[INFO]     Plugin Dependency Resolved: spotless-lib-3.1.0.jar
[INFO]     Plugin Dependency Resolved: spotless-lib-extra-3.1.0.jar
[INFO]     Plugin Dependency Resolved: durian-core-1.2.0.jar
[INFO]     Plugin Dependency Resolved: durian-io-1.2.0.jar
[INFO]     Plugin Dependency Resolved: durian-collect-1.2.0.jar
[INFO]     Plugin Dependency Resolved: plexus-resources-1.3.0.jar
[INFO]     Plugin Dependency Resolved: org.eclipse.jgit-6.10.0.202406032230-r.jar
[INFO]     Plugin Dependency Resolved: plexus-build-api-0.0.7.jar
[INFO] Plugin Resolved: itf-maven-plugin-0.13.1.jar
[INFO]     Plugin Dependency Resolved: aether-util-1.0.0.v20140518.jar
[INFO]     Plugin Dependency Resolved: itf-extension-maven-0.13.1.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-3.5.1.jar
[INFO]     Plugin Dependency Resolved: maven-filtering-3.3.1.jar
[INFO] Plugin Resolved: maven-artifact-plugin-3.6.0.jar
[INFO]     Plugin Dependency Resolved: maven-resolver-util-1.9.20.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.1.jar
[INFO]     Plugin Dependency Resolved: maven-shared-utils-3.4.2.jar
[INFO]     Plugin Dependency Resolved: maven-archiver-3.6.1.jar
[INFO]     Plugin Dependency Resolved: commons-codec-1.17.1.jar
[INFO]     Plugin Dependency Resolved: commons-io-2.18.0.jar
[INFO]     Plugin Dependency Resolved: doxia-sink-api-1.12.0.jar
[INFO]     Plugin Dependency Resolved: maven-reporting-impl-3.1.0.jar
[INFO] Plugin Resolved: maven-install-plugin-3.1.4.jar
[INFO]     Plugin Dependency Resolved: maven-resolver-util-1.9.22.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.1.jar
[INFO] Plugin Resolved: cyclonedx-maven-plugin-2.9.1.jar
[INFO]     Plugin Dependency Resolved: cyclonedx-core-java-9.0.5.jar
[INFO]     Plugin Dependency Resolved: commons-codec-1.17.1.jar
[INFO]     Plugin Dependency Resolved: commons-lang3-3.17.0.jar
[INFO]     Plugin Dependency Resolved: maven-dependency-tree-3.3.0.jar
[INFO]     Plugin Dependency Resolved: maven-dependency-analyzer-1.14.1.jar
[INFO] Plugin Resolved: maven-surefire-plugin-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-api-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-extensions-api-3.5.2.jar
[INFO]     Plugin Dependency Resolved: maven-surefire-common-3.5.2.jar
[INFO] Plugin Resolved: maven-clean-plugin-3.4.1.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO] Plugin Resolved: gmavenplus-plugin-4.1.1.jar
[INFO]     Plugin Dependency Resolved: maven-archiver-3.6.3.jar
[INFO]     Plugin Dependency Resolved: file-management-3.1.0.jar
[INFO]     Plugin Dependency Resolved: commons-io-2.14.0.jar
[INFO]     Plugin Dependency Resolved: jansi-2.4.1.jar
[INFO]     Plugin Dependency Resolved: jline-2.14.6.jar
[INFO]     Plugin Dependency Resolved: ant-1.10.15.jar
[INFO]     Plugin Dependency Resolved: ivy-2.5.2.jar
[INFO] Plugin Resolved: maven-compiler-plugin-3.14.0.jar
[INFO]     Plugin Dependency Resolved: maven-shared-utils-3.4.2.jar
[INFO]     Plugin Dependency Resolved: maven-shared-incremental-1.1.jar
[INFO]     Plugin Dependency Resolved: plexus-java-1.4.0.jar
[INFO]     Plugin Dependency Resolved: plexus-compiler-api-2.15.0.jar
[INFO]     Plugin Dependency Resolved: plexus-compiler-manager-2.15.0.jar
[INFO]     Plugin Dependency Resolved: plexus-compiler-javac-2.15.0.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO] Plugin Resolved: maven-jar-plugin-3.4.2.jar
[INFO]     Plugin Dependency Resolved: file-management-3.1.0.jar
[INFO]     Plugin Dependency Resolved: maven-archiver-3.6.2.jar
[INFO]     Plugin Dependency Resolved: plexus-archiver-4.9.2.jar
[INFO]     Plugin Dependency Resolved: javax.inject-1.jar
[INFO]     Plugin Dependency Resolved: slf4j-api-1.7.36.jar
[INFO] Plugin Resolved: maven-plugin-plugin-3.15.1.jar
[INFO]     Plugin Dependency Resolved: maven-plugin-tools-api-3.15.1.jar
[INFO]     Plugin Dependency Resolved: maven-plugin-tools-generators-3.15.1.jar
[INFO]     Plugin Dependency Resolved: maven-plugin-tools-java-3.15.1.jar
[INFO]     Plugin Dependency Resolved: maven-plugin-tools-annotations-3.15.1.jar
[INFO]     Plugin Dependency Resolved: maven-plugin-annotations-3.15.1.jar
[INFO]     Plugin Dependency Resolved: maven-plugin-tools-ant-3.15.1.jar
[INFO]     Plugin Dependency Resolved: maven-plugin-tools-beanshell-3.15.1.jar
[INFO]     Plugin Dependency Resolved: maven-resolver-util-1.9.20.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-velocity-2.2.0.jar
[INFO]     Plugin Dependency Resolved: plexus-build-api-0.0.7.jar
[INFO] Plugin Resolved: maven-enforcer-plugin-3.5.0.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.0.jar
[INFO]     Plugin Dependency Resolved: enforcer-api-3.5.0.jar
[INFO]     Plugin Dependency Resolved: enforcer-rules-3.5.0.jar
[INFO] Plugin Resolved: maven-site-plugin-3.21.0.jar
[INFO]     Plugin Dependency Resolved: maven-reporting-api-4.0.0.jar
[INFO]     Plugin Dependency Resolved: maven-reporting-exec-2.0.0.jar
[INFO]     Plugin Dependency Resolved: maven-shared-utils-3.4.2.jar
[INFO]     Plugin Dependency Resolved: maven-archiver-3.6.2.jar
[INFO]     Plugin Dependency Resolved: plexus-archiver-4.10.0.jar
[INFO]     Plugin Dependency Resolved: plexus-i18n-1.0-beta-10.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.1.jar
[INFO]     Plugin Dependency Resolved: doxia-sink-api-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-core-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-xhtml5-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-apt-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-xdoc-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-fml-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-markdown-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-site-model-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-site-renderer-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-integration-tools-2.0.0.jar
[INFO]     Plugin Dependency Resolved: commons-lang3-3.17.0.jar
[INFO]     Plugin Dependency Resolved: jetty-server-9.4.56.v20240826.jar
[INFO]     Plugin Dependency Resolved: jetty-http-9.4.56.v20240826.jar
[INFO]     Plugin Dependency Resolved: jetty-servlet-9.4.56.v20240826.jar
[INFO]     Plugin Dependency Resolved: jetty-webapp-9.4.56.v20240826.jar
[INFO]     Plugin Dependency Resolved: jetty-util-9.4.56.v20240826.jar
[INFO] Plugin Resolved: maven-resources-plugin-3.3.1.jar
[INFO]     Plugin Dependency Resolved: plexus-interpolation-1.26.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-3.5.1.jar
[INFO]     Plugin Dependency Resolved: maven-filtering-3.3.1.jar
[INFO]     Plugin Dependency Resolved: commons-io-2.11.0.jar
[INFO]     Plugin Dependency Resolved: commons-lang3-3.12.0.jar
[INFO] Plugin Resolved: maven-failsafe-plugin-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-api-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-booter-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-extensions-api-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-shared-utils-3.5.2.jar
[INFO]     Plugin Dependency Resolved: maven-surefire-common-3.5.2.jar
[INFO] Plugin Resolved: maven-deploy-plugin-3.1.4.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.1.jar
[INFO]     Plugin Dependency Resolved: maven-resolver-util-1.9.22.jar
[INFO] 
[INFO] -------< io.github.chains-project:maven-lockfile-github-action >--------
[INFO] Building maven-lockfile-github-action 5.4.3-SNAPSHOT               [3/3]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:resolve-plugins (default-cli) @ maven-lockfile-github-action ---
[INFO] Plugin Resolved: spotless-maven-plugin-2.44.3.jar
[INFO]     Plugin Dependency Resolved: spotless-lib-3.1.0.jar
[INFO]     Plugin Dependency Resolved: spotless-lib-extra-3.1.0.jar
[INFO]     Plugin Dependency Resolved: durian-core-1.2.0.jar
[INFO]     Plugin Dependency Resolved: durian-io-1.2.0.jar
[INFO]     Plugin Dependency Resolved: durian-collect-1.2.0.jar
[INFO]     Plugin Dependency Resolved: plexus-resources-1.3.0.jar
[INFO]     Plugin Dependency Resolved: org.eclipse.jgit-6.10.0.202406032230-r.jar
[INFO]     Plugin Dependency Resolved: plexus-build-api-0.0.7.jar
[INFO] Plugin Resolved: maven-artifact-plugin-3.6.0.jar
[INFO]     Plugin Dependency Resolved: maven-resolver-util-1.9.20.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.1.jar
[INFO]     Plugin Dependency Resolved: maven-shared-utils-3.4.2.jar
[INFO]     Plugin Dependency Resolved: maven-archiver-3.6.1.jar
[INFO]     Plugin Dependency Resolved: commons-codec-1.17.1.jar
[INFO]     Plugin Dependency Resolved: commons-io-2.18.0.jar
[INFO]     Plugin Dependency Resolved: doxia-sink-api-1.12.0.jar
[INFO]     Plugin Dependency Resolved: maven-reporting-impl-3.1.0.jar
[INFO] Plugin Resolved: maven-install-plugin-3.1.4.jar
[INFO]     Plugin Dependency Resolved: maven-resolver-util-1.9.22.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.1.jar
[INFO] Plugin Resolved: quarkus-maven-plugin-3.21.0.jar
[INFO]     Plugin Dependency Resolved: quarkus-bootstrap-core-3.21.0.jar
[INFO]     Plugin Dependency Resolved: quarkus-bootstrap-maven-resolver-3.21.0.jar
[INFO]     Plugin Dependency Resolved: quarkus-core-deployment-3.21.0.jar
[INFO]     Plugin Dependency Resolved: quarkus-project-core-extension-codestarts-3.21.0.jar
[INFO]     Plugin Dependency Resolved: quarkus-devtools-common-3.21.0.jar
[INFO]     Plugin Dependency Resolved: quarkus-analytics-common-3.21.0.jar
[INFO]     Plugin Dependency Resolved: quarkus-cyclonedx-generator-3.21.0.jar
[INFO]     Plugin Dependency Resolved: javax.inject-1.jar
[INFO]     Plugin Dependency Resolved: freemarker-2.3.34.jar
[INFO]     Plugin Dependency Resolved: parsson-1.1.7.jar
[INFO]     Plugin Dependency Resolved: jackson-databind-2.18.2.jar
[INFO]     Plugin Dependency Resolved: mojo-executor-2.4.0.jar
[INFO]     Plugin Dependency Resolved: slf4j-jboss-logmanager-2.0.0.Final.jar
[INFO] Plugin Resolved: cyclonedx-maven-plugin-2.9.1.jar
[INFO]     Plugin Dependency Resolved: cyclonedx-core-java-9.0.5.jar
[INFO]     Plugin Dependency Resolved: commons-codec-1.17.1.jar
[INFO]     Plugin Dependency Resolved: commons-lang3-3.17.0.jar
[INFO]     Plugin Dependency Resolved: maven-dependency-tree-3.3.0.jar
[INFO]     Plugin Dependency Resolved: maven-dependency-analyzer-1.14.1.jar
[INFO] Plugin Resolved: maven-surefire-plugin-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-api-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-extensions-api-3.5.2.jar
[INFO]     Plugin Dependency Resolved: maven-surefire-common-3.5.2.jar
[INFO] Plugin Resolved: maven-clean-plugin-3.4.1.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO] Plugin Resolved: gmavenplus-plugin-4.1.1.jar
[INFO]     Plugin Dependency Resolved: maven-archiver-3.6.3.jar
[INFO]     Plugin Dependency Resolved: file-management-3.1.0.jar
[INFO]     Plugin Dependency Resolved: commons-io-2.14.0.jar
[INFO]     Plugin Dependency Resolved: jansi-2.4.1.jar
[INFO]     Plugin Dependency Resolved: jline-2.14.6.jar
[INFO]     Plugin Dependency Resolved: ant-1.10.15.jar
[INFO]     Plugin Dependency Resolved: ivy-2.5.2.jar
[INFO] Plugin Resolved: maven-compiler-plugin-3.14.0.jar
[INFO]     Plugin Dependency Resolved: maven-shared-utils-3.4.2.jar
[INFO]     Plugin Dependency Resolved: maven-shared-incremental-1.1.jar
[INFO]     Plugin Dependency Resolved: plexus-java-1.4.0.jar
[INFO]     Plugin Dependency Resolved: plexus-compiler-api-2.15.0.jar
[INFO]     Plugin Dependency Resolved: plexus-compiler-manager-2.15.0.jar
[INFO]     Plugin Dependency Resolved: plexus-compiler-javac-2.15.0.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO] Plugin Resolved: maven-jar-plugin-3.4.2.jar
[INFO]     Plugin Dependency Resolved: file-management-3.1.0.jar
[INFO]     Plugin Dependency Resolved: maven-archiver-3.6.2.jar
[INFO]     Plugin Dependency Resolved: plexus-archiver-4.9.2.jar
[INFO]     Plugin Dependency Resolved: javax.inject-1.jar
[INFO]     Plugin Dependency Resolved: slf4j-api-1.7.36.jar
[INFO] Plugin Resolved: maven-enforcer-plugin-3.5.0.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.0.jar
[INFO]     Plugin Dependency Resolved: enforcer-api-3.5.0.jar
[INFO]     Plugin Dependency Resolved: enforcer-rules-3.5.0.jar
[INFO] Plugin Resolved: maven-site-plugin-3.21.0.jar
[INFO]     Plugin Dependency Resolved: maven-reporting-api-4.0.0.jar
[INFO]     Plugin Dependency Resolved: maven-reporting-exec-2.0.0.jar
[INFO]     Plugin Dependency Resolved: maven-shared-utils-3.4.2.jar
[INFO]     Plugin Dependency Resolved: maven-archiver-3.6.2.jar
[INFO]     Plugin Dependency Resolved: plexus-archiver-4.10.0.jar
[INFO]     Plugin Dependency Resolved: plexus-i18n-1.0-beta-10.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.1.jar
[INFO]     Plugin Dependency Resolved: doxia-sink-api-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-core-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-xhtml5-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-apt-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-xdoc-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-fml-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-markdown-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-site-model-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-site-renderer-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-integration-tools-2.0.0.jar
[INFO]     Plugin Dependency Resolved: commons-lang3-3.17.0.jar
[INFO]     Plugin Dependency Resolved: jetty-server-9.4.56.v20240826.jar
[INFO]     Plugin Dependency Resolved: jetty-http-9.4.56.v20240826.jar
[INFO]     Plugin Dependency Resolved: jetty-servlet-9.4.56.v20240826.jar
[INFO]     Plugin Dependency Resolved: jetty-webapp-9.4.56.v20240826.jar
[INFO]     Plugin Dependency Resolved: jetty-util-9.4.56.v20240826.jar
[INFO] Plugin Resolved: maven-resources-plugin-3.3.1.jar
[INFO]     Plugin Dependency Resolved: plexus-interpolation-1.26.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-3.5.1.jar
[INFO]     Plugin Dependency Resolved: maven-filtering-3.3.1.jar
[INFO]     Plugin Dependency Resolved: commons-io-2.11.0.jar
[INFO]     Plugin Dependency Resolved: commons-lang3-3.12.0.jar
[INFO] Plugin Resolved: maven-failsafe-plugin-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-api-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-booter-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-extensions-api-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-shared-utils-3.5.2.jar
[INFO]     Plugin Dependency Resolved: maven-surefire-common-3.5.2.jar
[INFO] Plugin Resolved: maven-deploy-plugin-3.1.4.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.1.jar
[INFO]     Plugin Dependency Resolved: maven-resolver-util-1.9.22.jar
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for maven-lockfile-parent 5.4.3-SNAPSHOT:
[INFO] 
[INFO] maven-lockfile-parent .............................. SUCCESS [  0.306 s]
[INFO] maven-lockfile-plugin .............................. SUCCESS [  0.067 s]
[INFO] maven-lockfile-github-action ....................... SUCCESS [  0.086 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.079 s
[INFO] Finished at: 2025-03-30T19:36:57+02:00
[INFO] ------------------------------------------------------------------------
[INFO] 3 goals, 3 executed

@randomicecube
Copy link
Author

randomicecube commented Mar 30, 2025
edited
Loading

@LogFlames you are right, I hadn't pulled, I'll run the tool again on this commit and try to see what may be happening.

First thoughts though are that it is probably a cache-related issue: on dependency extraction, we'll see a previously cached dependency, which will come with the extracted parent as well, and just use it; I'll tinker with this
EDIT: that'd be weird though, because caching here is made on the pom-level, and the hashes between the two POM files shouldn't be the same... weird

@randomicecube
Copy link
Author

Re-running with debug because I'm scratching my head at this one, doesn't really make sense since because of the pom's hash being the cache key, I don't get where it got that parent from, it should have been reset

@randomicecube
Copy link
Author

@LogFlames fixed, I think!

@LogFlames
Copy link
Member

Awesome! Thanks!

maven-artifact-plugin will be difficult to remove and we are on the latest version. Is there some option to whitelist those repositories so CI will succeed, but it will still fail if more/new dependencies have critical warnings?

@randomicecube
Copy link
Author

randomicecube commented Apr 2, 2025
edited
Loading

@LogFlames yes! See https://github.com/chains-project/dirty-waters/?tab=readme-ov-file#configuration

Although this doesn't support ignoring packages w/ certain parents, just packages themselves -- I will add support for that!

@randomicecube
Copy link
Author

@LogFlames v1.11.35 now gives the ability to ignore deps w/ certain parents; docs about this still at https://github.com/chains-project/dirty-waters/?tab=readme-ov-file#configuration!

@LogFlames
Copy link
Member

Awesome, now all critical and medium warnings have been added to the ignore and CI passes! 🎉

Before we merge we should add harden-runner to the workflow and pin all actions to sha's instead of tags.

I also think it would be nice if the report included the number of suppressed or ignored warnings, for example as footnotes (or some other formatting).

Total packages in the supply chain: 427

❗ Packages with no source code URL (⚠️⚠️⚠️): 01

⛔ Packages with repo URL that is 404 (⚠️⚠️⚠️): 02

🔧 Packages with inaccessible commit SHA/tag (⚠️⚠️): 03

🔒 Packages without code signature (⚠️⚠️): 04

🔓 Packages with invalid code signature (⚠️⚠️): 0

Footnotes

  1. Suppressed 5 warnings for ❗ Packages with no source code URL (⚠️⚠️⚠️)

  2. Suppressed 1 warning for ⛔ Packages with repo URL that is 404 (⚠️⚠️⚠️)

  3. Suppressed 66 warnings for 🔧 Packages with inaccessible commit SHA/tag (⚠️⚠️)

  4. Suppressed 18 warnings for 🔒 Packages without code signature (⚠️⚠️)

@randomicecube
Copy link
Author

That's an interesting suggestion, I'll add it as an issue!

@randomicecube randomicecube mentioned this pull request Apr 4, 2025
Open
@LogFlames LogFlames changed the title 👷 ci: add [email protected] to code quality workflow 👷 ci: add [email protected] to code quality workflow Apr 5, 2025
@algomaster99
Copy link
Member

@randomicecube I was completely off track, but right now I am discussing this PR with @LogFlames. The ignore list is nice. I was thinking to augment it with URLs of tags that can be manually found. For example, com.diffplug.spotless:[email protected]'s tag URL is - https://github.com/diffplug/spotless/tree/maven/2.44.3. I know the naming is not conventional. But maybe your cache can use this information in some way?

@LogFlames LogFlames changed the title 👷 ci: add [email protected] to code quality workflow 👷 ci: add [email protected] to code quality workflow Apr 16, 2025
@LogFlames
Copy link
Member

LogFlames commented Apr 25, 2025
edited
Loading

@randomicecube sorry to bother you again! I am trying to figure out why the report is generated for the latest commit in main branch and not the one checked out in this PR.

It does find the config file (at least seems like it, from logs):
image

In the print everything in the latest config file (in the diogo/add-dirty-waters branch) is included. However, stuff that should be ignored in the config is still being listed as unaccessible shas:
image

So it seems the config is not correctly applied for all deps, but it is applied for some (e.g. a bunch of missing signatures and major warnings with 404 source code urls) 🤔
I have tried to clear the cache as well using gh cache delete --all.

Any help would be greatly appreciated!

@randomicecube randomicecube mentioned this pull request May 3, 2025
Merged
@LogFlames LogFlames changed the title 👷 ci: add [email protected] to code quality workflow 👷 ci: add [email protected] to code quality workflow May 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@randomicecube randomicecube

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@randomicecube @algomaster99 @LogFlames