[BUG] com.google.code.findbugs/[email protected] version problem #705
Comments
|
Hi @rubensa You have to add the GA Red Hat Repository to your Maven repositories in the settings.xml file, you can find the instructions here |
|
@ruromero Thanks for the info But the thing is, why the extension is proposing a fix for a 0 vulnerabilities package and the proposed package is not from maven central but from other repository (whereas the original one is in maven central)? |
|
Hi @rubensa That's why it is underlined in blue, meaning that it's just a suggestion. |
|
@ruromero Could you provide me the URL for the RH repository with the source code? |
|
Definitely! In the same Maven repository you can find all the sources. |
|
Thanks @ruromero but was meaning the source code repository (GitHub or something?) 😓 |
|
For this specific package I honestly don't know. The pom says the source control management is at http://findbugs.googlecode.com/svn/trunk/ but this link is not working. |
|
I think that is cause the code in googlecode repository is now archived: https://code.google.com/archive/p/findbugs/source/default/source It was, at sometime, moved to GitHub: https://github.com/findbugsproject/findbugs But currently, the development is done in new GitHub project: https://github.com/spotbugs/spotbugs The thing here is that, all those source code repositories, are for the original project code, not the RedHat "modified" code... |
|
@rubensa I'm afraid I can't give you a proper answer. Red Hat modified code is sometimes managed in internal repositories although the packages published include the source. Why do you think this is a relevant information in this extension? |
|
@ruromero I think it is relevant as the extension is suggesting to replace the Google FindBugs dependency to a "custom" RedHat implementation dependency that is not available in default Maven (Central) repository, so it implies adding Red Hat Early Access repository and without a clear reason for that suggestion, as there seems to be no vulnerabilities in Google FindBugs implementation (remember that the message says |
|
To be precise, we're suggesting to add the Red Hat GA repository. The reasons were stated few comments above, let me know if they're not clear. Some companies/teams usually have a set of whitelisted/trusted sources for repositories that might not be limited only to Maven Central. What the tool is trying to achieve with the recommendations is to get more users to use the Red Hat supported software but maybe if you don't want to have Red Hat Recommendations you might find useful an option to disable them? Thanks for your interest. |
|
Thanks @ruromero, an option to disable this kind of recommendations would be fine to us. |
and others
Describe the bug
I have:
... <dependency> <!-- Standard annotations (such as @NonNull) that can be applied to Java programs to assist tools that detect software defects. https://jcp.org/en/jsr/detail?id=305 --> <groupId>com.google.code.findbugs</groupId> <artifactId>jsr305</artifactId> <version>3.0.2</version> </dependency> ...as a dependency in my pom.xml.
I'm getting following problem message from Red Hat Dependency Analytics Plugin:
VSCode:
Additional context
I tried to use
com.google.code.findbugs/[email protected]version but looks it is only available in Red Hat Early Access repository (but not in Maven Central).The text was updated successfully, but these errors were encountered: