Component Whitelist not working Part 2
Issue #323
resolved
For whatever reason
https://www.versioneye.com/java/org.jenkins-ci.plugins:credentials is incredibly out of date. The current version is 2.1.X (something) yet it is saying the initial release is the up to date one. So i made a component whitelist and added
org.jenkins-ci.plugins:credentials:1.9.4 org.jenkins-ci.plugins:credentials org.jenkins-ci.plugins
I tried all 3 and reparsed and yet it still shows red as a violation. So not only is the check broken but the component whitelist doesn't work.
-
Project Link: https://www.versioneye.com/user/projects/582e557fc8dd330045914348
-
Current Credentials Dependancy: https://www.versioneye.com/java/org.jenkins-ci.plugins:credentials/1.9.4 (Note version eye says latest is 1.22)
-
Maven Repository: https://mvnrepository.com/artifact/org.jenkins-ci.plugins/credentials (shows 2.1.8 as latest which is in line with the wiki documentation https://wiki.jenkins-ci.org/display/JENKINS/Credentials+Plugin)
-
There seems to be a bug with version eye when evaluating this plugin for whatever reason. So i tried to flag it as always true using the whitelist.
-
Added the MIT License to the whitelist and the component org.jenkins-ci.plugins:credentials:1.9.4
-
yet for some reason credentials is flagged as outdated still and the other dependancy zap-clientapi is no longer listed.
-
Project pom available here: https://github.com/jenkinsci/zap-plugin/blob/master/pom.xml
-
This seems to be a common issue with all jenkins and hudson plugins :( since they do not seem to be indexed on search.maven.org for some reason
-
Basically the backend for the jenkins update center will limit the versions of plugins that it advertises to those plugins that are compatible with specific baseline versions of Jenkins. Thus: https://updates.jenkins-ci.org/1.580/update-center.json will have the newest version of credentials that is compatible with 1.580+... which is 1.28 whereas https://updates.jenkins-ci.org/1.609/update-center.json has the newest version compatible with 1.609+... which is 2.1.9 (search org.jenkins-ci.plugins:credentials in this example)
-
In my case i am reporting a bug with the indexing. But i would love to know how to exclude that check since i can't seem to with whitelisting :(
original post: https://bitbucket.org/versioneye/versioneye/issues/320/component-whitelist-not-working
Any kind of feedback would be appricated :) Thank you!
Comments (8)
-
-
Hi @JordanGS could please post a link to your VersionEye organisation? I would like to take a look to your license whitelist and component whitelist. The project link to your VersionEye project you posted above doesn't work anymore. I assume you removed the project?
-
Hi @JordanGS I just found version 2.1.9 of the package here: https://repo.jenkins-ci.org/public/org/jenkins-ci/plugins/credentials/. Why is the Jenkins team maintaining their own Mvn Repo? What's wrong with Maven Central? Publishing Artefacts to http://search.maven.org/ is a one liner and it's free! Currently VersionEye is not crawling https://repo.jenkins-ci.org/public/. I have to think about adding it.
-
reporter
Hello @Robert Reiz
Yes, i had removed it since it was throwing me errors for pull requests saying dependancy checks were failing. Thank you for replying, i have created a new one https://www.versioneye.com/user/projects/585024718de92a0042eb42d4
"Why is the Jenkins team maintaining their own Mvn Repo? What's wrong with Maven Central?" To answer your question, i don't know. I am not a member of the Jenkins Core Team, simply a plugin developer. However i do know that for a long time they have been using their own repository for Jenkins rather than Maven Central and I can't see that changing anytime soon. So from my point of view, i love using Version Eye and would love to continue doing so. You or I can ask in the google group: https://groups.google.com/forum/#!forum/jenkinsci-users if you like about why they are using their own repo and not maven central.
-
Hi @JordanGS I just posted here my question: https://groups.google.com/forum/#!topic/jenkinsci-users/L74kNGQBb8I
-
- changed status to resolved
I added the Jenkins MVN repo to the VersionEye crawling framework. The initial crawl is still running. But the credentials package is already picked up. Here is the package with the newest version 2.1.10:
https://www.versioneye.com/java/org.jenkins-ci.plugins:credentials/2.1.10
It will take a couple hours until everything is shacked down, but tomorrow it should be fine. Feel free to reopen this ticket if you still have issues.
-
reporter
@reiz Thanks a lot for adding it! How would i go about resolving the license issues? Or should i create a separate issue for that. Happy new years.
-
Hi @JordanGS. That would be another ticket. But if you are having a dependency with a "red" license you can either drop the dependency or you ask the maintainers of the software package for a different license. That last option usually involves Money ;-)
- Log in to comment
Hi @JordanGS The newest version of the org.jenkins-ci.plugins:credentials component is 1.22 and not 1.9.4! Simply because 22 is higher than 9 ;-) And version 1.22 is marked as newest in the repository maven-metadate.xml here: http://jcenter.bintray.com/org/jenkins-ci/plugins/credentials/maven-metadata.xml. I take a look to the other points.