-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reporting version info for maven dependencies #605
Comments
Great suggestion - yes the versions that one could upgrade to would be valuable (heck we might be able to see if they are known vulnerable too). Would this have to be Maven specific though? If the hash matches (either CentralAnalyzer or NexusAnalyzer) isn't there a subsequent get available versions API? Regarding the Regarding what to present - I agree this is difficult. I might consider taking the exact same approach as the dependency plugin and show the latest minor and latest major release (we might even be able to borrow code depending on the licenses for this). One of the known issues with the get available versions is that sometimes there is a timestamp or something in the version that completely messes up trying to figure out what the latest is. For reporting purposes - the full GAV of the available version would be good. |
Not very familiar with nexus/central apis. Probably good to loop in @colezlaw on this one as it appears he originally did that work. That sounds good to extend the object to hold this info. Are any of the other analyzers doing something similar or is this new project-wide? Yes, agree the get available versions is non-optimal as not everyone uses semantic versioning. I'll try to take a peek at the dependency plugin once we hash out the other issues. |
Bumping this to @colezlaw to see if he has any thoughts. |
Baked into Maven is an API to get the available versions. The problem is this could probably work for Maven, gradle, or sbt - it likely would not be available in the other integrations (unless we found the maven coordinates from within the JAR in the CLI/ANT version). |
Yeah, I think this would definitely be just for those integrations where we have access to the maven coordinates easily, at least at first. I was using those apis for the POC. |
This is an enhancement idea specifically around the maven mojo - I'm willing to take a first cut at this work. Looking for feedback on a) would it be useful and b) discussion of solution.
First question, would it be useful to be able to present the available versions? I see there's a
getVersionEvidence()
method that exists on theDependency
class, but don't see it used in the system. Would it be useful to add this data for maven?If the answer above is "yes", I have some follow-up questions:
The text was updated successfully, but these errors were encountered: