👷 ci: add [email protected] to code quality workflow #1134

randomicecube · 2025-03-21T09:05:47Z

Relates to chains-project/dirty-waters#58

randomicecube · 2025-03-21T09:06:12Z

cc @algomaster99 @LogFlames @monperrus
now the workflow should hopefully run without issues!
EDIT: yup, it did!

github-actions · 2025-03-21T10:16:27Z

Currently, this project does not break CI via dirty-waters-action, as it either didn't identify any smells, or did but not in an amount enough to break CI. You can still see the current report status below.

Software Supply Chain Report of chains-project/maven-lockfile

Software Supply Chain Report of chains-project/maven-lockfile - `a4bf2b1`

Enabled Checks

The following checks were requested project-wide:

Check	Status
Source Code: `source_code`	✅
Source Code Sha: `source_code_sha`	✅
Deprecated: `deprecated`	✅
Forks: `forks`	❌
Provenance: `provenance`	✅
Code Signature: `code_signature`	✅
Aliased Packages: `aliased_packages`	✅

Ignore Configuration Summary

Ignored Checks Per Dependency 🔧

These dependencies had specific checks excluded based on the configuration file.
Note: If all is listed, every check is ignored for that dependency.

Dependency Pattern	Ignored Checks
`aopalliance:[email protected]`	`code_signature`
`com.diffplug.durian:[email protected]`	`source_code_sha`
`com.diffplug.durian:[email protected]`	`source_code_sha`
`com.diffplug.durian:[email protected]`	`source_code_sha`
`com.diffplug.spotless:[email protected]`	`source_code_sha`
`com.diffplug.spotless:[email protected]`	`source_code_sha`
`com.diffplug.spotless:[email protected]`	`source_code_sha`
`com.google.code.gson:[email protected]`	`source_code_sha`
`com.google.code.gson:[email protected]`	`source_code_sha`
`com.google.collections:[email protected]`	`code_signature`
`com.google.guava:[email protected]`	`source_code_sha`
`com.google.guava:[email protected]`	`source_code_sha`
`com.google.guava:[email protected]`	`source_code_sha`
`com.google.guava:[email protected]`	`source_code_sha`
`com.google.guava:[email protected]`	`source_code_sha`
`com.google.protobuf:[email protected]`	`source_code_sha`
`com.google.protobuf:[email protected]`	`source_code_sha`
`com.kohlschutter.junixsocket:[email protected]`	`code_signature`
`com.soebes.itf.jupiter.extension:[email protected]`	`source_code_sha`
`com.soebes.itf.jupiter.extension:[email protected]`	`source_code_sha`
`com.soebes.itf.jupiter.extension:[email protected]`	`source_code_sha`
`com.soebes.itf.jupiter.extension:[email protected]`	`source_code_sha`
`commons-beanutils:[email protected]`	`source_code`, `code_signature`, `source_code_sha`, `forks`
`commons-chain:[email protected]`	`code_signature`
`commons-cli:[email protected]`	`source_code_sha`
`commons-codec:[email protected]`	`source_code_sha`
`commons-codec:[email protected]`	`source_code_sha`
`commons-codec:[email protected]`	`source_code_sha`
`commons-codec:[email protected]`	`source_code_sha`
`commons-codec:[email protected]`	`source_code_sha`
`commons-digester:[email protected]`	`code_signature`
`commons-io:[email protected]`	`source_code_sha`
`commons-io:[email protected]`	`source_code_sha`
`commons-io:[email protected]`	`source_code_sha`
`commons-io:[email protected]`	`source_code_sha`
`commons-io:[email protected]`	`source_code_sha`
`dev.equo.ide:[email protected]`	`source_code_sha`
`dom4j:[email protected]`	`source_code`, `code_signature`, `source_code_sha`, `forks`
`io.github.crac:[email protected]`	`source_code_sha`
`io.vertx:[email protected]`	`source_code_sha`
`io.vertx:[email protected]`	`source_code_sha`
`io.vertx:[email protected]`	`source_code_sha`
`io.vertx:[email protected]`	`source_code_sha`
`jakarta.el:[email protected]`	`source_code_sha`
`jakarta.interceptor:[email protected]`	`source_code_sha`
`jakarta.json:[email protected]`	`source_code_sha`
`javax.inject:javax.inject@1`	`code_signature`
`om.kohlschutter.junixsocket:[email protected]`	`code_signature`
`org.aesh:[email protected]`	`code_signature`, `source_code_sha`
`org.aesh:[email protected]`	`code_signature`
`org.apache.commons:[email protected]`	`source_code_sha`
`org.apache.commons:[email protected]`	`source_code_sha`
`org.apache.commons:[email protected]`	`source_code_sha`
`org.apache.commons:[email protected]`	`source_code_sha`
`org.apache.commons:[email protected]`	`source_code_sha`
`org.apache.commons:[email protected]`	`source_code_sha`
`org.apache.commons:[email protected]`	`source_code_sha`
`org.apache.commons:[email protected]`	`source_code_sha`
`org.apache.commons:[email protected]`	`source_code_sha`
`org.apache.httpcomponents:[email protected]`	`source_code_sha`
`org.apache.httpcomponents:[email protected]`	`source_code_sha`
`org.apache.httpcomponents:[email protected]`	`source_code_sha`
`org.apache.httpcomponents:[email protected]`	`source_code_sha`
`org.apache.logging.log4j:[email protected]`	`source_code_sha`
`org.apache.logging.log4j:[email protected]`	`source_code_sha`
`org.apache.maven.doxia:[email protected]`	`source_code_sha`
`org.apache.maven.doxia:[email protected]`	`source_code_sha`
`org.apache.maven.doxia:[email protected]`	`source_code_sha`
`org.apache.maven.doxia:[email protected]`	`source_code_sha`
`org.apache.maven.doxia:[email protected]`	`source_code_sha`
`org.apache.maven.doxia:[email protected]`	`source_code_sha`
`org.apache.maven.doxia:[email protected]`	`source_code_sha`
`org.assertj:[email protected]`	`source_code_sha`
`org.bouncycastle:[email protected]`	`source_code_sha`
`org.bouncycastle:[email protected]`	`source_code_sha`
`org.bouncycastle:[email protected]`	`source_code_sha`
`org.bouncycastle:[email protected]`	`source_code_sha`
`org.codehaus.plexus:[email protected]`	`code_signature`
`org.eclipse.jetty:[email protected]`	`source_code_sha`
`org.eclipse.jetty:[email protected]`	`source_code_sha`
`org.eclipse.jetty:[email protected]`	`source_code_sha`
`org.eclipse.jetty:[email protected]`	`source_code_sha`
`org.eclipse.jetty:[email protected]`	`source_code_sha`
`org.eclipse.jetty:[email protected]`	`source_code_sha`
`org.eclipse.jetty:[email protected]`	`source_code_sha`
`org.eclipse.jetty:[email protected]`	`source_code_sha`
`org.eclipse.jetty:[email protected]`	`source_code_sha`
`org.eclipse.platform:[email protected]`	`source_code_sha`
`org.eclipse.sisu:[email protected]`	`source_code_sha`
`org.eclipse.sisu:[email protected]`	`source_code_sha`
`org.eclipse.sisu:[email protected]`	`source_code_sha`
`org.eclipse.sisu:[email protected]`	`source_code_sha`
`org.instancio:[email protected]`	`source_code_sha`
`org.instancio:[email protected]`	`source_code_sha`
`org.iq80.snappy:[email protected]`	`source_code`, `source_code_sha`, `forks`
`org.jboss.logging:[email protected]`	`code_signature`
`org.jboss.logging:[email protected]`	`code_signature`
`org.jboss.logging:[email protected]`	`code_signature`
`org.jboss.logmanager:[email protected]`	`code_signature`
`org.jboss.marshalling:[email protected]`	`source_code_sha`
`org.jboss.slf4j:[email protected]`	`code_signature`, `source_code_sha`
`org.jboss.threads:[email protected]`	`code_signature`
`org.jdom:[email protected]`	`source_code_sha`
`org.jetbrains:[email protected]`	`source_code_sha`
`org.junit.platform:[email protected]`	`source_code_sha`
`org.junit.platform:[email protected]`	`source_code_sha`
`org.junit.platform:[email protected]`	`source_code_sha`
`org.junit.platform:[email protected]`	`source_code_sha`
`org.junit.platform:[email protected]`	`source_code_sha`
`org.sonatype.plexus:[email protected]`	`source_code`, `source_code_sha`, `forks`
`org.sonatype.plexus:[email protected]`	`source_code`, `source_code_sha`, `forks`
`org.twdata.maven:[email protected]`	`source_code_sha`
`org.wildfly.common:[email protected]`	`code_signature`
`oro:[email protected]`	`source_code`, `code_signature`, `source_code_sha`, `forks`

Ignored Checks If Dependency is a Parent 📦➡️👶

Checks will be ignored if the listed dependency is a parent of another package.

Parent Dependency Pattern	Ignored Checks
`com.diffplug.spotless:[email protected]`	`source_code_sha`
`org.apache.maven.plugins:[email protected]`	`source_code_sha`
`org.apache.maven.plugins:[email protected]`	`source_code_sha`

Summary of Findings

How to read the results 📖

Dirty-waters has analyzed your project dependencies and found different categories for each of them:

⚠️⚠️⚠️ : high severity
⚠️⚠️: medium severity
⚠️: low severity

Total packages in the supply chain: 372

❗ Packages with no source code URL (⚠️⚠️⚠️): 0

⛔ Packages with repo URL that is 404 (⚠️⚠️⚠️): 0

🔧 Packages with inaccessible commit SHA/tag (⚠️⚠️): 12

🔒 Packages without code signature (⚠️⚠️): 0

🔓 Packages with invalid code signature (⚠️⚠️): 0

Fine grained information

🐬 For further information about software supply chain smells in your project, take a look at the following tables.

All analyzed packages have a source code repo.

List of packages with available source code repos but with inaccessible commit SHAs/tags (12)

package_name	sha_info	tag_info	parent	command
org.apache.commons:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
com.diffplug.spotless:[email protected]	Commit SHA not directly available	Release tag not found in repo	`com.diffplug.spotless:[email protected]`	`resolve-plugins`
com.diffplug.spotless:[email protected]	Commit SHA not directly available	Release tag not found in repo	`com.diffplug.spotless:[email protected]`	`resolve-plugins`
com.diffplug.spotless:[email protected]	Commit SHA not directly available	Release tag not found in repo	`com.diffplug.spotless:[email protected]`	`resolve-plugins`
org.eclipse.platform:[email protected]	Commit SHA not directly available	Release tag not found in repo	`com.diffplug.spotless:[email protected]`	`resolve-plugins`
org.junit.platform:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.junit.jupiter:[email protected]`	`tree`
org.junit.platform:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.junit.jupiter:[email protected]`	`tree`
org.apache.logging.log4j:[email protected]	Commit SHA not directly available	Release tag not found in repo	`None`	`tree`
org.apache.logging.log4j:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.logging.log4j:[email protected]`	`tree`
org.instancio:[email protected]	Commit SHA not directly available	Release tag not found in repo	`None`	`tree`
org.instancio:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.instancio:[email protected]`	`tree`
commons-io:[email protected]	Commit SHA not directly available	Release tag not found in repo	`None`	`tree`

The package manager (maven) does not support checking for deprecated packages.

All packages have code signature.

All packages have valid code signature.

The package manager (maven) does not support checking for provenance.

The package manager (maven) does not support checking for aliased packages.

Ignored Smells

The following smells were configured to be ignored in this project:

Source code links that could not be found (1)

package_name	github_url	github_exists	parent	command
org.iq80.snappy:[email protected]	https://github.com/dain/snapy	False	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`

List of packages with available source code repos but with inaccessible commit SHAs/tags (63)

package_name	sha_info	tag_info	parent	command
com.soebes.itf.jupiter.extension:[email protected]	Commit SHA not directly available	Release tag not found in repo	`com.soebes.itf.jupiter.extension:[email protected]`	`resolve-plugins`
com.soebes.itf.jupiter.extension:[email protected]	Commit SHA not directly available	Release tag not found in repo	`com.soebes.itf.jupiter.extension:[email protected]`	`tree`
commons-io:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
commons-codec:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.cyclonedx:[email protected]`	`resolve-plugins`
commons-io:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.codehaus.gmavenplus:[email protected]`	`resolve-plugins`
org.eclipse.sisu:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.eclipse.sisu:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.apache.maven.doxia:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.apache.commons:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.apache.httpcomponents:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.apache.httpcomponents:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.apache.maven.doxia:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.apache.maven.doxia:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
commons-codec:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
commons-io:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
dev.equo.ide:[email protected]	Commit SHA not directly available	Release tag not found in repo	`com.diffplug.spotless:[email protected]`	`resolve-plugins`
org.jetbrains:[email protected]	Commit SHA not directly available	Release tag not found in repo	`com.diffplug.spotless:[email protected]`	`resolve-plugins`
com.diffplug.durian:[email protected]	Commit SHA not directly available	Release tag not found in repo	`com.diffplug.spotless:[email protected]`	`resolve-plugins`
com.diffplug.durian:[email protected]	Commit SHA not directly available	Release tag not found in repo	`com.diffplug.spotless:[email protected]`	`resolve-plugins`
com.diffplug.durian:[email protected]	Commit SHA not directly available	Release tag not found in repo	`com.diffplug.spotless:[email protected]`	`resolve-plugins`
commons-codec:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.apache.commons:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.apache.commons:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
commons-io:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.apache.commons:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.cyclonedx:[email protected]`	`resolve-plugins`
org.apache.commons:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.apache.commons:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
commons-codec:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.apache.httpcomponents:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.apache.httpcomponents:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
com.google.protobuf:[email protected]	Commit SHA not directly available	Release tag not found in repo	`dev.sigstore:[email protected]`	`resolve-plugins`
com.google.protobuf:[email protected]	Commit SHA not directly available	Release tag not found in repo	`dev.sigstore:[email protected]`	`resolve-plugins`
com.google.guava:[email protected]	Commit SHA not directly available	Release tag not found in repo	`dev.sigstore:[email protected]`	`resolve-plugins`
com.google.guava:[email protected]	Commit SHA not directly available	Release tag not found in repo	`com.google.guava:[email protected]`	`tree`
commons-codec:[email protected]	Commit SHA not directly available	Release tag not found in repo	`dev.sigstore:[email protected]`	`resolve-plugins`
com.google.code.gson:[email protected]	Commit SHA not directly available	Release tag not found in repo	`dev.sigstore:[email protected]`	`resolve-plugins`
org.bouncycastle:[email protected]	Commit SHA not directly available	Release tag not found in repo	`dev.sigstore:[email protected]`	`resolve-plugins`
org.bouncycastle:[email protected]	Commit SHA not directly available	Release tag not found in repo	`dev.sigstore:[email protected]`	`resolve-plugins`
org.bouncycastle:[email protected]	Commit SHA not directly available	Release tag not found in repo	`dev.sigstore:[email protected]`	`resolve-plugins`
org.bouncycastle:[email protected]	Commit SHA not directly available	Release tag not found in repo	`dev.sigstore:[email protected]`	`resolve-plugins`
com.google.guava:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.apache.commons:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.apache.maven.doxia:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.apache.maven.doxia:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.apache.maven.doxia:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.apache.maven.doxia:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.eclipse.jetty:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.eclipse.jetty:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.eclipse.jetty:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.eclipse.jetty:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.eclipse.jetty:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.eclipse.jetty:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.eclipse.jetty:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.eclipse.jetty:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.eclipse.jetty:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.apache.commons:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven:[email protected]`	`tree`
org.eclipse.sisu:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven:[email protected]`	`tree`
org.eclipse.sisu:[email protected]	Commit SHA not directly available	Release tag not found in repo	`org.apache.maven:[email protected]`	`tree`
com.google.code.gson:[email protected]	Commit SHA not directly available	Release tag not found in repo	`None`	`tree`
com.soebes.itf.jupiter.extension:[email protected]	Commit SHA not directly available	Release tag not found in repo	`None`	`tree`
com.soebes.itf.jupiter.extension:[email protected]	Commit SHA not directly available	Release tag not found in repo	`None`	`tree`
org.assertj:[email protected]	Commit SHA not directly available	Release tag not found in repo	`com.soebes.itf.jupiter.extension:[email protected]`	`tree`
com.google.guava:[email protected]	Commit SHA not directly available	Release tag not found in repo	`None`	`tree`

List of packages without code signature (10)

package_name	signature_present	signature_valid	parent	command
javax.inject:javax.inject@1	False	False	`org.apache.maven:[email protected]`	`tree`
com.google.collections:[email protected]	False	False	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
org.codehaus.plexus:[email protected]	False	False	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
commons-beanutils:[email protected]	False	False	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
commons-digester:[email protected]	False	False	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
commons-chain:[email protected]	False	False	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
dom4j:[email protected]	False	False	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
oro:[email protected]	False	False	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
com.kohlschutter.junixsocket:[email protected]	False	False	`dev.sigstore:[email protected]`	`resolve-plugins`
aopalliance:[email protected]	False	False	`com.google.inject:[email protected]`	`tree`

Call to Action:

👻What do I do now?

For packages without source code & accessible SHA/release tags:

Why? Missing or inaccessible source code makes it impossible to audit the package for security vulnerabilities or malicious code.

Pull Request to the maintainer of dependency, requesting correct repository metadata and proper versioning/tagging.

Notes

Other info:

Source code repo is not hosted on GitHub: 41

This could be due, for example, to the package being hosted on a different platform.

This does not mean that the source code URL is invalid.

However, for non-GitHub repositories, not all checks can currently be performed.

index	github_url	parent	command
1	Could not find repo from package registry	`com.soebes.itf.jupiter.extension:[email protected]`	`resolve-plugins`
2	Could not find repo from package registry	`com.soebes.itf.jupiter.extension:[email protected]`	`resolve-plugins`
3	Could not find repo from package registry	`org.apache.maven:[email protected]`	`tree`
4	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
5	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
6	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
7	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
8	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
9	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
10	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
11	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
12	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
13	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
14	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
15	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
16	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
17	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
18	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
19	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
20	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
21	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
22	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
23	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
24	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
25	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
26	Could not find repo from package registry	`com.diffplug.spotless:[email protected]`	`resolve-plugins`
27	Could not find repo from package registry	`org.codehaus.gmavenplus:[email protected]`	`resolve-plugins`
28	Could not find repo from package registry	`org.codehaus.gmavenplus:[email protected]`	`resolve-plugins`
29	Could not find repo from package registry	`org.codehaus.gmavenplus:[email protected]`	`resolve-plugins`
30	Could not find repo from package registry	`org.cyclonedx:[email protected]`	`resolve-plugins`
31	Could not find repo from package registry	`org.cyclonedx:[email protected]`	`resolve-plugins`
32	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
33	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
34	Could not find repo from package registry	`dev.sigstore:[email protected]`	`resolve-plugins`
35	Could not find repo from package registry	`dev.sigstore:[email protected]`	`resolve-plugins`
36	Could not find repo from package registry	`dev.sigstore:[email protected]`	`resolve-plugins`
37	Could not find repo from package registry	`com.google.inject:[email protected]`	`tree`
38	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
39	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
40	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
41	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
42	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
43	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
44	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
45	Could not find repo from package registry	`org.apache.maven.plugins:[email protected]`	`resolve-plugins`
46	Could not find repo from package registry	`org.eclipse.sisu:[email protected]`	`tree`

Glossary

source_code: Whether a repo URL is present and valid
- source_code_sha: Whether a commit SHA is available and valid
- forks: Whether the repo is a fork
deprecated: Whether the package is marked deprecated
provenance: Whether build provenance/attestation is provided
code_signature: Whether a code signature is present and valid
aliased_packages: Whether a package is aliased under a different name

Report created by dirty-waters on 2025-08-20 12:08:43.

Tool version: d42b45d3
Project Name: chains-project/maven-lockfile
Project Version: a4bf2b1
Package Manager: maven

algomaster99 · 2025-03-24T09:25:51Z

Same here chains-project/sbom.exe#317 (comment) unless Elias gets here first.

LogFlames · 2025-03-25T15:43:21Z

Nice!

Looking at the deps with missing repo-urls I will have to hunt those down. For example oro:[email protected] is a transitive dependency of maven-artifact-plugin, but haven't found a way to find where it is exactly yet.

randomicecube · 2025-03-26T12:23:09Z

@LogFlames as a glimmer of hope, chains-project/dirty-waters#73 should be merged today and provide you with a lot more detail regarding where each package comes from :)
EDIT: done!

LogFlames · 2025-03-26T15:35:44Z

Nice! Very helpful to identify plugins which have a high number of broken dependencies ^^

Unfortunately oro:[email protected] (and I think some more) are transitive dependencies of maven-artifact-plugin as well :p

LogFlames · 2025-03-28T17:49:27Z

@randomicecube does the workflow need to be triggered in some special way besides a new commit? Or maybe the cache nedes to be cleared?

I merged in main where I had removed maven-eclipse-plugin and some of the critical warnings are gone from the report. However, two still remain (org.sonatype.plexus:[email protected] and org.sonatype.plexus:[email protected]).

When running mvn dependency:resolve-plugins manually these are part of the dependency tree but not under maven-eclipse-plugin as currently stated in the report but instead under maven-artifact-plugin. From the output of resolve-plugins I don't see any maven-eclipse-plugin remaining.

randomicecube · 2025-03-29T16:03:53Z

@randomicecube does the workflow need to be triggered in some special way besides a new commit? Or maybe the cache nedes to be cleared?

Maybe there's a cache issue, but it doesn't make a lot of sense to me -- between the latest and the second-to-last comment, there are 60 less packages in the supply chain, which I'm assuming are related with the changes coming from main? And maybe those then reflect on the less amount of warnings now?

I merged in main where I had removed maven-eclipse-plugin and some of the critical warnings are gone from the report. However, two still remain (org.sonatype.plexus:[email protected] and org.sonatype.plexus:[email protected]).
When running mvn dependency:resolve-plugins manually these are part of the dependency tree but not under maven-eclipse-plugin as currently stated in the report but instead under maven-artifact-plugin. From the output of resolve-plugins I don't see any maven-eclipse-plugin remaining.

Regarding this, that hadn't happened to me before (in fact, I vividly remember them being under maven-artifact-plugin, as you said); I will try and see what's going on, and update you afterward

randomicecube · 2025-03-29T16:17:02Z

Hey @LogFlames I just ran the resolve-plugins goal locally and got the following:

Does the same happen to you? If so, this does seem to indicate that it makes sense for it to be connected to eclipse-plugin

LogFlames · 2025-03-30T17:41:22Z

@randomicecube I don't get the same output, did you pull this branch after I merged in main where maven-eclipse-plugin had been removed?

This is my output:

mvn dependency:resolve-plugins

[INFO] Scanning for projects...
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Build Order:
[INFO] 
[INFO] maven-lockfile-parent                                              [pom]
[INFO] maven-lockfile-plugin                                     [maven-plugin]
[INFO] maven-lockfile-github-action                                       [jar]
[INFO] 
[INFO] -----------< io.github.chains-project:maven-lockfile-parent >-----------
[INFO] Building maven-lockfile-parent 5.4.3-SNAPSHOT                      [1/3]
[INFO] --------------------------------[ pom ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:resolve-plugins (default-cli) @ maven-lockfile-parent ---
[INFO] Plugin Resolved: spotless-maven-plugin-2.44.3.jar
[INFO]     Plugin Dependency Resolved: spotless-lib-3.1.0.jar
[INFO]     Plugin Dependency Resolved: spotless-lib-extra-3.1.0.jar
[INFO]     Plugin Dependency Resolved: durian-core-1.2.0.jar
[INFO]     Plugin Dependency Resolved: durian-io-1.2.0.jar
[INFO]     Plugin Dependency Resolved: durian-collect-1.2.0.jar
[INFO]     Plugin Dependency Resolved: plexus-resources-1.3.0.jar
[INFO]     Plugin Dependency Resolved: org.eclipse.jgit-6.10.0.202406032230-r.jar
[INFO]     Plugin Dependency Resolved: plexus-build-api-0.0.7.jar
[INFO] Plugin Resolved: maven-artifact-plugin-3.6.0.jar
[INFO]     Plugin Dependency Resolved: maven-resolver-util-1.9.20.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.1.jar
[INFO]     Plugin Dependency Resolved: maven-shared-utils-3.4.2.jar
[INFO]     Plugin Dependency Resolved: maven-archiver-3.6.1.jar
[INFO]     Plugin Dependency Resolved: commons-codec-1.17.1.jar
[INFO]     Plugin Dependency Resolved: commons-io-2.18.0.jar
[INFO]     Plugin Dependency Resolved: doxia-sink-api-1.12.0.jar
[INFO]     Plugin Dependency Resolved: maven-reporting-impl-3.1.0.jar
[INFO] Plugin Resolved: maven-install-plugin-3.1.4.jar
[INFO]     Plugin Dependency Resolved: maven-resolver-util-1.9.22.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.1.jar
[INFO] Plugin Resolved: cyclonedx-maven-plugin-2.9.1.jar
[INFO]     Plugin Dependency Resolved: cyclonedx-core-java-9.0.5.jar
[INFO]     Plugin Dependency Resolved: commons-codec-1.17.1.jar
[INFO]     Plugin Dependency Resolved: commons-lang3-3.17.0.jar
[INFO]     Plugin Dependency Resolved: maven-dependency-tree-3.3.0.jar
[INFO]     Plugin Dependency Resolved: maven-dependency-analyzer-1.14.1.jar
[INFO] Plugin Resolved: maven-surefire-plugin-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-api-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-extensions-api-3.5.2.jar
[INFO]     Plugin Dependency Resolved: maven-surefire-common-3.5.2.jar
[INFO] Plugin Resolved: maven-clean-plugin-3.4.1.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO] Plugin Resolved: gmavenplus-plugin-4.1.1.jar
[INFO]     Plugin Dependency Resolved: maven-archiver-3.6.3.jar
[INFO]     Plugin Dependency Resolved: file-management-3.1.0.jar
[INFO]     Plugin Dependency Resolved: commons-io-2.14.0.jar
[INFO]     Plugin Dependency Resolved: jansi-2.4.1.jar
[INFO]     Plugin Dependency Resolved: jline-2.14.6.jar
[INFO]     Plugin Dependency Resolved: ant-1.10.15.jar
[INFO]     Plugin Dependency Resolved: ivy-2.5.2.jar
[INFO] Plugin Resolved: maven-compiler-plugin-3.14.0.jar
[INFO]     Plugin Dependency Resolved: maven-shared-utils-3.4.2.jar
[INFO]     Plugin Dependency Resolved: maven-shared-incremental-1.1.jar
[INFO]     Plugin Dependency Resolved: plexus-java-1.4.0.jar
[INFO]     Plugin Dependency Resolved: plexus-compiler-api-2.15.0.jar
[INFO]     Plugin Dependency Resolved: plexus-compiler-manager-2.15.0.jar
[INFO]     Plugin Dependency Resolved: plexus-compiler-javac-2.15.0.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO] Plugin Resolved: maven-jar-plugin-3.4.2.jar
[INFO]     Plugin Dependency Resolved: file-management-3.1.0.jar
[INFO]     Plugin Dependency Resolved: maven-archiver-3.6.2.jar
[INFO]     Plugin Dependency Resolved: plexus-archiver-4.9.2.jar
[INFO]     Plugin Dependency Resolved: javax.inject-1.jar
[INFO]     Plugin Dependency Resolved: slf4j-api-1.7.36.jar
[INFO] Plugin Resolved: maven-enforcer-plugin-3.5.0.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.0.jar
[INFO]     Plugin Dependency Resolved: enforcer-api-3.5.0.jar
[INFO]     Plugin Dependency Resolved: enforcer-rules-3.5.0.jar
[INFO] Plugin Resolved: maven-site-plugin-3.21.0.jar
[INFO]     Plugin Dependency Resolved: maven-reporting-api-4.0.0.jar
[INFO]     Plugin Dependency Resolved: maven-reporting-exec-2.0.0.jar
[INFO]     Plugin Dependency Resolved: maven-shared-utils-3.4.2.jar
[INFO]     Plugin Dependency Resolved: maven-archiver-3.6.2.jar
[INFO]     Plugin Dependency Resolved: plexus-archiver-4.10.0.jar
[INFO]     Plugin Dependency Resolved: plexus-i18n-1.0-beta-10.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.1.jar
[INFO]     Plugin Dependency Resolved: doxia-sink-api-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-core-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-xhtml5-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-apt-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-xdoc-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-fml-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-markdown-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-site-model-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-site-renderer-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-integration-tools-2.0.0.jar
[INFO]     Plugin Dependency Resolved: commons-lang3-3.17.0.jar
[INFO]     Plugin Dependency Resolved: jetty-server-9.4.56.v20240826.jar
[INFO]     Plugin Dependency Resolved: jetty-http-9.4.56.v20240826.jar
[INFO]     Plugin Dependency Resolved: jetty-servlet-9.4.56.v20240826.jar
[INFO]     Plugin Dependency Resolved: jetty-webapp-9.4.56.v20240826.jar
[INFO]     Plugin Dependency Resolved: jetty-util-9.4.56.v20240826.jar
[INFO] Plugin Resolved: maven-resources-plugin-3.3.1.jar
[INFO]     Plugin Dependency Resolved: plexus-interpolation-1.26.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-3.5.1.jar
[INFO]     Plugin Dependency Resolved: maven-filtering-3.3.1.jar
[INFO]     Plugin Dependency Resolved: commons-io-2.11.0.jar
[INFO]     Plugin Dependency Resolved: commons-lang3-3.12.0.jar
[INFO] Plugin Resolved: maven-deploy-plugin-3.1.4.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.1.jar
[INFO]     Plugin Dependency Resolved: maven-resolver-util-1.9.22.jar
[INFO] 
[INFO] --------------< io.github.chains-project:maven-lockfile >---------------
[INFO] Building maven-lockfile-plugin 5.4.3-SNAPSHOT                      [2/3]
[INFO] ----------------------------[ maven-plugin ]----------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:resolve-plugins (default-cli) @ maven-lockfile ---
[INFO] Plugin Resolved: spotless-maven-plugin-2.44.3.jar
[INFO]     Plugin Dependency Resolved: spotless-lib-3.1.0.jar
[INFO]     Plugin Dependency Resolved: spotless-lib-extra-3.1.0.jar
[INFO]     Plugin Dependency Resolved: durian-core-1.2.0.jar
[INFO]     Plugin Dependency Resolved: durian-io-1.2.0.jar
[INFO]     Plugin Dependency Resolved: durian-collect-1.2.0.jar
[INFO]     Plugin Dependency Resolved: plexus-resources-1.3.0.jar
[INFO]     Plugin Dependency Resolved: org.eclipse.jgit-6.10.0.202406032230-r.jar
[INFO]     Plugin Dependency Resolved: plexus-build-api-0.0.7.jar
[INFO] Plugin Resolved: itf-maven-plugin-0.13.1.jar
[INFO]     Plugin Dependency Resolved: aether-util-1.0.0.v20140518.jar
[INFO]     Plugin Dependency Resolved: itf-extension-maven-0.13.1.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-3.5.1.jar
[INFO]     Plugin Dependency Resolved: maven-filtering-3.3.1.jar
[INFO] Plugin Resolved: maven-artifact-plugin-3.6.0.jar
[INFO]     Plugin Dependency Resolved: maven-resolver-util-1.9.20.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.1.jar
[INFO]     Plugin Dependency Resolved: maven-shared-utils-3.4.2.jar
[INFO]     Plugin Dependency Resolved: maven-archiver-3.6.1.jar
[INFO]     Plugin Dependency Resolved: commons-codec-1.17.1.jar
[INFO]     Plugin Dependency Resolved: commons-io-2.18.0.jar
[INFO]     Plugin Dependency Resolved: doxia-sink-api-1.12.0.jar
[INFO]     Plugin Dependency Resolved: maven-reporting-impl-3.1.0.jar
[INFO] Plugin Resolved: maven-install-plugin-3.1.4.jar
[INFO]     Plugin Dependency Resolved: maven-resolver-util-1.9.22.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.1.jar
[INFO] Plugin Resolved: cyclonedx-maven-plugin-2.9.1.jar
[INFO]     Plugin Dependency Resolved: cyclonedx-core-java-9.0.5.jar
[INFO]     Plugin Dependency Resolved: commons-codec-1.17.1.jar
[INFO]     Plugin Dependency Resolved: commons-lang3-3.17.0.jar
[INFO]     Plugin Dependency Resolved: maven-dependency-tree-3.3.0.jar
[INFO]     Plugin Dependency Resolved: maven-dependency-analyzer-1.14.1.jar
[INFO] Plugin Resolved: maven-surefire-plugin-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-api-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-extensions-api-3.5.2.jar
[INFO]     Plugin Dependency Resolved: maven-surefire-common-3.5.2.jar
[INFO] Plugin Resolved: maven-clean-plugin-3.4.1.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO] Plugin Resolved: gmavenplus-plugin-4.1.1.jar
[INFO]     Plugin Dependency Resolved: maven-archiver-3.6.3.jar
[INFO]     Plugin Dependency Resolved: file-management-3.1.0.jar
[INFO]     Plugin Dependency Resolved: commons-io-2.14.0.jar
[INFO]     Plugin Dependency Resolved: jansi-2.4.1.jar
[INFO]     Plugin Dependency Resolved: jline-2.14.6.jar
[INFO]     Plugin Dependency Resolved: ant-1.10.15.jar
[INFO]     Plugin Dependency Resolved: ivy-2.5.2.jar
[INFO] Plugin Resolved: maven-compiler-plugin-3.14.0.jar
[INFO]     Plugin Dependency Resolved: maven-shared-utils-3.4.2.jar
[INFO]     Plugin Dependency Resolved: maven-shared-incremental-1.1.jar
[INFO]     Plugin Dependency Resolved: plexus-java-1.4.0.jar
[INFO]     Plugin Dependency Resolved: plexus-compiler-api-2.15.0.jar
[INFO]     Plugin Dependency Resolved: plexus-compiler-manager-2.15.0.jar
[INFO]     Plugin Dependency Resolved: plexus-compiler-javac-2.15.0.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO] Plugin Resolved: maven-jar-plugin-3.4.2.jar
[INFO]     Plugin Dependency Resolved: file-management-3.1.0.jar
[INFO]     Plugin Dependency Resolved: maven-archiver-3.6.2.jar
[INFO]     Plugin Dependency Resolved: plexus-archiver-4.9.2.jar
[INFO]     Plugin Dependency Resolved: javax.inject-1.jar
[INFO]     Plugin Dependency Resolved: slf4j-api-1.7.36.jar
[INFO] Plugin Resolved: maven-plugin-plugin-3.15.1.jar
[INFO]     Plugin Dependency Resolved: maven-plugin-tools-api-3.15.1.jar
[INFO]     Plugin Dependency Resolved: maven-plugin-tools-generators-3.15.1.jar
[INFO]     Plugin Dependency Resolved: maven-plugin-tools-java-3.15.1.jar
[INFO]     Plugin Dependency Resolved: maven-plugin-tools-annotations-3.15.1.jar
[INFO]     Plugin Dependency Resolved: maven-plugin-annotations-3.15.1.jar
[INFO]     Plugin Dependency Resolved: maven-plugin-tools-ant-3.15.1.jar
[INFO]     Plugin Dependency Resolved: maven-plugin-tools-beanshell-3.15.1.jar
[INFO]     Plugin Dependency Resolved: maven-resolver-util-1.9.20.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-velocity-2.2.0.jar
[INFO]     Plugin Dependency Resolved: plexus-build-api-0.0.7.jar
[INFO] Plugin Resolved: maven-enforcer-plugin-3.5.0.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.0.jar
[INFO]     Plugin Dependency Resolved: enforcer-api-3.5.0.jar
[INFO]     Plugin Dependency Resolved: enforcer-rules-3.5.0.jar
[INFO] Plugin Resolved: maven-site-plugin-3.21.0.jar
[INFO]     Plugin Dependency Resolved: maven-reporting-api-4.0.0.jar
[INFO]     Plugin Dependency Resolved: maven-reporting-exec-2.0.0.jar
[INFO]     Plugin Dependency Resolved: maven-shared-utils-3.4.2.jar
[INFO]     Plugin Dependency Resolved: maven-archiver-3.6.2.jar
[INFO]     Plugin Dependency Resolved: plexus-archiver-4.10.0.jar
[INFO]     Plugin Dependency Resolved: plexus-i18n-1.0-beta-10.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.1.jar
[INFO]     Plugin Dependency Resolved: doxia-sink-api-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-core-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-xhtml5-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-apt-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-xdoc-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-fml-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-markdown-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-site-model-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-site-renderer-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-integration-tools-2.0.0.jar
[INFO]     Plugin Dependency Resolved: commons-lang3-3.17.0.jar
[INFO]     Plugin Dependency Resolved: jetty-server-9.4.56.v20240826.jar
[INFO]     Plugin Dependency Resolved: jetty-http-9.4.56.v20240826.jar
[INFO]     Plugin Dependency Resolved: jetty-servlet-9.4.56.v20240826.jar
[INFO]     Plugin Dependency Resolved: jetty-webapp-9.4.56.v20240826.jar
[INFO]     Plugin Dependency Resolved: jetty-util-9.4.56.v20240826.jar
[INFO] Plugin Resolved: maven-resources-plugin-3.3.1.jar
[INFO]     Plugin Dependency Resolved: plexus-interpolation-1.26.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-3.5.1.jar
[INFO]     Plugin Dependency Resolved: maven-filtering-3.3.1.jar
[INFO]     Plugin Dependency Resolved: commons-io-2.11.0.jar
[INFO]     Plugin Dependency Resolved: commons-lang3-3.12.0.jar
[INFO] Plugin Resolved: maven-failsafe-plugin-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-api-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-booter-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-extensions-api-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-shared-utils-3.5.2.jar
[INFO]     Plugin Dependency Resolved: maven-surefire-common-3.5.2.jar
[INFO] Plugin Resolved: maven-deploy-plugin-3.1.4.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.1.jar
[INFO]     Plugin Dependency Resolved: maven-resolver-util-1.9.22.jar
[INFO] 
[INFO] -------< io.github.chains-project:maven-lockfile-github-action >--------
[INFO] Building maven-lockfile-github-action 5.4.3-SNAPSHOT               [3/3]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:resolve-plugins (default-cli) @ maven-lockfile-github-action ---
[INFO] Plugin Resolved: spotless-maven-plugin-2.44.3.jar
[INFO]     Plugin Dependency Resolved: spotless-lib-3.1.0.jar
[INFO]     Plugin Dependency Resolved: spotless-lib-extra-3.1.0.jar
[INFO]     Plugin Dependency Resolved: durian-core-1.2.0.jar
[INFO]     Plugin Dependency Resolved: durian-io-1.2.0.jar
[INFO]     Plugin Dependency Resolved: durian-collect-1.2.0.jar
[INFO]     Plugin Dependency Resolved: plexus-resources-1.3.0.jar
[INFO]     Plugin Dependency Resolved: org.eclipse.jgit-6.10.0.202406032230-r.jar
[INFO]     Plugin Dependency Resolved: plexus-build-api-0.0.7.jar
[INFO] Plugin Resolved: maven-artifact-plugin-3.6.0.jar
[INFO]     Plugin Dependency Resolved: maven-resolver-util-1.9.20.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.1.jar
[INFO]     Plugin Dependency Resolved: maven-shared-utils-3.4.2.jar
[INFO]     Plugin Dependency Resolved: maven-archiver-3.6.1.jar
[INFO]     Plugin Dependency Resolved: commons-codec-1.17.1.jar
[INFO]     Plugin Dependency Resolved: commons-io-2.18.0.jar
[INFO]     Plugin Dependency Resolved: doxia-sink-api-1.12.0.jar
[INFO]     Plugin Dependency Resolved: maven-reporting-impl-3.1.0.jar
[INFO] Plugin Resolved: maven-install-plugin-3.1.4.jar
[INFO]     Plugin Dependency Resolved: maven-resolver-util-1.9.22.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.1.jar
[INFO] Plugin Resolved: quarkus-maven-plugin-3.21.0.jar
[INFO]     Plugin Dependency Resolved: quarkus-bootstrap-core-3.21.0.jar
[INFO]     Plugin Dependency Resolved: quarkus-bootstrap-maven-resolver-3.21.0.jar
[INFO]     Plugin Dependency Resolved: quarkus-core-deployment-3.21.0.jar
[INFO]     Plugin Dependency Resolved: quarkus-project-core-extension-codestarts-3.21.0.jar
[INFO]     Plugin Dependency Resolved: quarkus-devtools-common-3.21.0.jar
[INFO]     Plugin Dependency Resolved: quarkus-analytics-common-3.21.0.jar
[INFO]     Plugin Dependency Resolved: quarkus-cyclonedx-generator-3.21.0.jar
[INFO]     Plugin Dependency Resolved: javax.inject-1.jar
[INFO]     Plugin Dependency Resolved: freemarker-2.3.34.jar
[INFO]     Plugin Dependency Resolved: parsson-1.1.7.jar
[INFO]     Plugin Dependency Resolved: jackson-databind-2.18.2.jar
[INFO]     Plugin Dependency Resolved: mojo-executor-2.4.0.jar
[INFO]     Plugin Dependency Resolved: slf4j-jboss-logmanager-2.0.0.Final.jar
[INFO] Plugin Resolved: cyclonedx-maven-plugin-2.9.1.jar
[INFO]     Plugin Dependency Resolved: cyclonedx-core-java-9.0.5.jar
[INFO]     Plugin Dependency Resolved: commons-codec-1.17.1.jar
[INFO]     Plugin Dependency Resolved: commons-lang3-3.17.0.jar
[INFO]     Plugin Dependency Resolved: maven-dependency-tree-3.3.0.jar
[INFO]     Plugin Dependency Resolved: maven-dependency-analyzer-1.14.1.jar
[INFO] Plugin Resolved: maven-surefire-plugin-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-api-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-extensions-api-3.5.2.jar
[INFO]     Plugin Dependency Resolved: maven-surefire-common-3.5.2.jar
[INFO] Plugin Resolved: maven-clean-plugin-3.4.1.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO] Plugin Resolved: gmavenplus-plugin-4.1.1.jar
[INFO]     Plugin Dependency Resolved: maven-archiver-3.6.3.jar
[INFO]     Plugin Dependency Resolved: file-management-3.1.0.jar
[INFO]     Plugin Dependency Resolved: commons-io-2.14.0.jar
[INFO]     Plugin Dependency Resolved: jansi-2.4.1.jar
[INFO]     Plugin Dependency Resolved: jline-2.14.6.jar
[INFO]     Plugin Dependency Resolved: ant-1.10.15.jar
[INFO]     Plugin Dependency Resolved: ivy-2.5.2.jar
[INFO] Plugin Resolved: maven-compiler-plugin-3.14.0.jar
[INFO]     Plugin Dependency Resolved: maven-shared-utils-3.4.2.jar
[INFO]     Plugin Dependency Resolved: maven-shared-incremental-1.1.jar
[INFO]     Plugin Dependency Resolved: plexus-java-1.4.0.jar
[INFO]     Plugin Dependency Resolved: plexus-compiler-api-2.15.0.jar
[INFO]     Plugin Dependency Resolved: plexus-compiler-manager-2.15.0.jar
[INFO]     Plugin Dependency Resolved: plexus-compiler-javac-2.15.0.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO] Plugin Resolved: maven-jar-plugin-3.4.2.jar
[INFO]     Plugin Dependency Resolved: file-management-3.1.0.jar
[INFO]     Plugin Dependency Resolved: maven-archiver-3.6.2.jar
[INFO]     Plugin Dependency Resolved: plexus-archiver-4.9.2.jar
[INFO]     Plugin Dependency Resolved: javax.inject-1.jar
[INFO]     Plugin Dependency Resolved: slf4j-api-1.7.36.jar
[INFO] Plugin Resolved: maven-enforcer-plugin-3.5.0.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.0.jar
[INFO]     Plugin Dependency Resolved: enforcer-api-3.5.0.jar
[INFO]     Plugin Dependency Resolved: enforcer-rules-3.5.0.jar
[INFO] Plugin Resolved: maven-site-plugin-3.21.0.jar
[INFO]     Plugin Dependency Resolved: maven-reporting-api-4.0.0.jar
[INFO]     Plugin Dependency Resolved: maven-reporting-exec-2.0.0.jar
[INFO]     Plugin Dependency Resolved: maven-shared-utils-3.4.2.jar
[INFO]     Plugin Dependency Resolved: maven-archiver-3.6.2.jar
[INFO]     Plugin Dependency Resolved: plexus-archiver-4.10.0.jar
[INFO]     Plugin Dependency Resolved: plexus-i18n-1.0-beta-10.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.1.jar
[INFO]     Plugin Dependency Resolved: doxia-sink-api-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-core-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-xhtml5-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-apt-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-xdoc-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-fml-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-module-markdown-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-site-model-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-site-renderer-2.0.0.jar
[INFO]     Plugin Dependency Resolved: doxia-integration-tools-2.0.0.jar
[INFO]     Plugin Dependency Resolved: commons-lang3-3.17.0.jar
[INFO]     Plugin Dependency Resolved: jetty-server-9.4.56.v20240826.jar
[INFO]     Plugin Dependency Resolved: jetty-http-9.4.56.v20240826.jar
[INFO]     Plugin Dependency Resolved: jetty-servlet-9.4.56.v20240826.jar
[INFO]     Plugin Dependency Resolved: jetty-webapp-9.4.56.v20240826.jar
[INFO]     Plugin Dependency Resolved: jetty-util-9.4.56.v20240826.jar
[INFO] Plugin Resolved: maven-resources-plugin-3.3.1.jar
[INFO]     Plugin Dependency Resolved: plexus-interpolation-1.26.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-3.5.1.jar
[INFO]     Plugin Dependency Resolved: maven-filtering-3.3.1.jar
[INFO]     Plugin Dependency Resolved: commons-io-2.11.0.jar
[INFO]     Plugin Dependency Resolved: commons-lang3-3.12.0.jar
[INFO] Plugin Resolved: maven-failsafe-plugin-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-api-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-booter-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-extensions-api-3.5.2.jar
[INFO]     Plugin Dependency Resolved: surefire-shared-utils-3.5.2.jar
[INFO]     Plugin Dependency Resolved: maven-surefire-common-3.5.2.jar
[INFO] Plugin Resolved: maven-deploy-plugin-3.1.4.jar
[INFO]     Plugin Dependency Resolved: plexus-utils-4.0.1.jar
[INFO]     Plugin Dependency Resolved: plexus-xml-3.0.1.jar
[INFO]     Plugin Dependency Resolved: maven-resolver-util-1.9.22.jar
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for maven-lockfile-parent 5.4.3-SNAPSHOT:
[INFO] 
[INFO] maven-lockfile-parent .............................. SUCCESS [  0.306 s]
[INFO] maven-lockfile-plugin .............................. SUCCESS [  0.067 s]
[INFO] maven-lockfile-github-action ....................... SUCCESS [  0.086 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.079 s
[INFO] Finished at: 2025-03-30T19:36:57+02:00
[INFO] ------------------------------------------------------------------------
[INFO] 3 goals, 3 executed

randomicecube · 2025-03-30T22:15:49Z

@LogFlames you are right, I hadn't pulled, I'll run the tool again on this commit and try to see what may be happening.

First thoughts though are that it is probably a cache-related issue: on dependency extraction, we'll see a previously cached dependency, which will come with the extracted parent as well, and just use it; I'll tinker with this
EDIT: that'd be weird though, because caching here is made on the pom-level, and the hashes between the two POM files shouldn't be the same... weird

randomicecube · 2025-03-30T22:35:42Z

Re-running with debug because I'm scratching my head at this one, doesn't really make sense since because of the pom's hash being the cache key, I don't get where it got that parent from, it should have been reset

randomicecube · 2025-03-30T23:04:41Z

@LogFlames fixed, I think!

LogFlames · 2025-04-01T18:33:04Z

Awesome! Thanks!

maven-artifact-plugin will be difficult to remove and we are on the latest version. Is there some option to whitelist those repositories so CI will succeed, but it will still fail if more/new dependencies have critical warnings?

randomicecube · 2025-04-02T08:03:12Z

@LogFlames yes! See https://github.com/chains-project/dirty-waters/?tab=readme-ov-file#configuration

Although this doesn't support ignoring packages w/ certain parents, just packages themselves -- I will add support for that!

randomicecube · 2025-04-02T09:02:39Z

@LogFlames v1.11.35 now gives the ability to ignore deps w/ certain parents; docs about this still at https://github.com/chains-project/dirty-waters/?tab=readme-ov-file#configuration!

LogFlames · 2025-04-02T11:03:50Z

Awesome!

I'm guessing "provenance" is the check that checks source code url? Would like to disable as few checks as possible. Are the available options documented somewhere? (maybe the report could make it more obvious what each check is called in code?)

EDIT: Changed to "source_code" and "source_code_sha"

LogFlames · 2025-04-02T16:36:44Z

I've tried to add the config but it doesn't find the file. When adding the option config: dirty-waters.json the following is observed:

Running command: python main.py -p chains-project/maven-lockfile -v HEAD -pm maven -n --debug --config dirty-waters.json --gradual-report=false
2025-04-02 14:33:44,612:root:WARNING:Config file not found at dirty-waters.json, using default config

I also tried config: chains-project/maven-lockfile/dirty-waters.json but got the same warning:

Running command: python main.py -p chains-project/maven-lockfile -v HEAD -pm maven -n --debug --config chains-project/maven-lockfile/dirty-waters.json --gradual-report=false
2025-04-02 16:00:23,241:root:WARNING:Config file not found at chains-project/maven-lockfile/dirty-waters.json, using default config

The file dirty-waters.json is added in the root of the project in this branch but not in main.

I thought it was because it checked against the main branch, but changing version_old to ${{ github.event.pull_request.head.ref }} didn't seem to change anything, so I guess it uses the version pulled down by actions/checkout?

@randomicecube Do you know/have an example of how to configure the action to use a config-file?

randomicecube · 2025-04-02T21:26:21Z

Fixed the config file part, found another bug related with ignored-per-dep checks after being cached :) fixing that as well

randomicecube · 2025-04-02T21:49:11Z

Okay right, this is still happening because checking for source_code_sha leads to source_code being activated; if you do the checks via CLI this would be disallowed, however in the config ignore checks it is allowed, I'll fix it so it isn't anymore
EDIT: I think it's actually more intuitive to resolve them and document that it is happening, so I did that

LogFlames · 2025-04-03T11:02:09Z

Awesome, now all critical and medium warnings have been added to the ignore and CI passes! 🎉

Before we merge we should add harden-runner to the workflow and pin all actions to sha's instead of tags.

I also think it would be nice if the report included the number of suppressed or ignored warnings, for example as footnotes (or some other formatting).

Total packages in the supply chain: 427

❗ Packages with no source code URL (⚠️⚠️⚠️): 0¹

⛔ Packages with repo URL that is 404 (⚠️⚠️⚠️): 0²

🔧 Packages with inaccessible commit SHA/tag (⚠️⚠️): 0³

🔒 Packages without code signature (⚠️⚠️): 0⁴

🔓 Packages with invalid code signature (⚠️⚠️): 0

Suppressed 5 warnings for ❗ Packages with no source code URL (⚠️⚠️⚠️) ↩
Suppressed 1 warning for ⛔ Packages with repo URL that is 404 (⚠️⚠️⚠️) ↩
Suppressed 66 warnings for 🔧 Packages with inaccessible commit SHA/tag (⚠️⚠️) ↩
Suppressed 18 warnings for 🔒 Packages without code signature (⚠️⚠️) ↩

randomicecube · 2025-04-04T09:50:01Z

That's an interesting suggestion, I'll add it as an issue!

…y were shown, even if ignored

…nstead of breaking

randomicecube self-assigned this Mar 21, 2025

LogFlames mentioned this pull request Mar 25, 2025

➖ (deps): Remove maven-eclipse-plugin #1146

Merged

LogFlames mentioned this pull request Mar 26, 2025

✨ feat: add dirty-waters to CI #1083

Closed

6 tasks

LogFlames changed the title ~~chore: add [email protected] to code quality workflow~~ 👷 ci: add [email protected] to code quality workflow Mar 26, 2025

LogFlames mentioned this pull request Mar 28, 2025

➖ (deps): Remove critical warnings from Dirty Waters-analysis. #1150

Closed

randomicecube mentioned this pull request Mar 30, 2025

dog-fooding dirty-waters-action in our own projects chains-project/dirty-waters#58

Open

6 tasks

LogFlames changed the title ~~👷 ci: add [email protected] to code quality workflow~~ 👷 ci: add [email protected] to code quality workflow Apr 2, 2025

randomicecube mentioned this pull request Apr 4, 2025

add footnotes w/ supressed/ignored warning counts chains-project/dirty-waters#137

Closed

randomicecube and others added 29 commits August 20, 2025 13:53

bump to v1.11.39; new version fixes config-file bug

04bcb3e

chore: bump to v1.11.40; fixes issue where if entries were cached the…

8933ed1

…y were shown, even if ignored

chore: bump to v1.11.41; added check for disallowing conflicting configs

0906a71

chore: bump to v1.11.42; dirty-waters now resolves config conflicts i…

988e791

…nstead of breaking

Do not check for source code, avoid 404

3b7de10

Ignore source_code_sha, missing tags for plugins with many deps

cf57a06

Ignore code_signatures for deps with missing

bf82d29

Ignore deps with missing tags

3e89055

Formatting error

13a6faa

JSON formatting errors

d5960f0

Pin actions to sha's

0b41cf4

Add harden runner with audit

fcd7eb9

Enable sudo

bd2c1eb

use tag to test if sha breaks config

ce9ddec

Add commit to have comment removed in prev commit

7d81f2d

Add sigstore dep to code signature ignore list

ecaae14

Remove empty lines at bottom of file

8262d65

Update to 1.11.43

ef14649

Bump dirty-waters-action to 1.11.45, using dirty-waters 0.97.0

30a0ca0

Sort alphabetically

5d19f0e

Add ignore of missing code signature

587f514

Add ghasum, update dirty-waters action

8f38bcc

Add new missing code shas to config ignore

417e982

chore: update ghasum checksums

579ce63

Update harden runner

a910020

update gha.sum

4ac23da

Update dirty waters action to 1.11.52

e6434d0

Update gha.sum

801afa0

Pin actions

a4bf2b1

LogFlames force-pushed the diogo/add-dirty-waters-action branch from 4b82bdb to a4bf2b1 Compare August 20, 2025 12:01

👷 ci: add [email protected] to code quality workflow #1134

Are you sure you want to change the base?

👷 ci: add [email protected] to code quality workflow #1134

Uh oh!

Conversation

randomicecube commented Mar 21, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

randomicecube commented Mar 21, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Mar 21, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Software Supply Chain Report of chains-project/maven-lockfile - a4bf2b1

📚 Table of Contents

Enabled Checks

Ignore Configuration Summary

Summary of Findings

Total packages in the supply chain: 372

Fine grained information

Ignored Smells

Call to Action:

Notes

Glossary

Uh oh!

algomaster99 commented Mar 24, 2025

Uh oh!

LogFlames commented Mar 25, 2025

Uh oh!

randomicecube commented Mar 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

LogFlames commented Mar 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

LogFlames commented Mar 28, 2025

Uh oh!

randomicecube commented Mar 29, 2025

Uh oh!

randomicecube commented Mar 29, 2025

Uh oh!

LogFlames commented Mar 30, 2025

Uh oh!

randomicecube commented Mar 30, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

randomicecube commented Mar 30, 2025

Uh oh!

randomicecube commented Mar 30, 2025

Uh oh!

LogFlames commented Apr 1, 2025

Uh oh!

randomicecube commented Apr 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

randomicecube commented Apr 2, 2025

Uh oh!

LogFlames commented Apr 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

LogFlames commented Apr 2, 2025

Uh oh!

randomicecube commented Apr 2, 2025

Uh oh!

randomicecube commented Apr 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

LogFlames commented Apr 3, 2025

Total packages in the supply chain: 427

❗ Packages with no source code URL (⚠️⚠️⚠️): 01

⛔ Packages with repo URL that is 404 (⚠️⚠️⚠️): 02

🔧 Packages with inaccessible commit SHA/tag (⚠️⚠️): 03

🔒 Packages without code signature (⚠️⚠️): 04

🔓 Packages with invalid code signature (⚠️⚠️): 0

Footnotes

Uh oh!

randomicecube commented Apr 4, 2025

Uh oh!

Uh oh!

randomicecube commented Mar 21, 2025 •

edited

Loading

randomicecube commented Mar 21, 2025 •

edited

Loading

github-actions bot commented Mar 21, 2025 •

edited

Loading

Software Supply Chain Report of chains-project/maven-lockfile - `a4bf2b1`

randomicecube commented Mar 26, 2025 •

edited

Loading

LogFlames commented Mar 26, 2025 •

edited

Loading

randomicecube commented Mar 30, 2025 •

edited

Loading

randomicecube commented Apr 2, 2025 •

edited

Loading

LogFlames commented Apr 2, 2025 •

edited

Loading

randomicecube commented Apr 2, 2025 •

edited

Loading

❗ Packages with no source code URL (⚠️⚠️⚠️): 0¹

⛔ Packages with repo URL that is 404 (⚠️⚠️⚠️): 0²

🔧 Packages with inaccessible commit SHA/tag (⚠️⚠️): 0³

🔒 Packages without code signature (⚠️⚠️): 0⁴