Skip to content

Latest commit

 

History

History
156 lines (107 loc) · 8.9 KB

File metadata and controls

156 lines (107 loc) · 8.9 KB

Maven metadata URI example branch parameter Codacy Badge

Dependency-Updates-Report Plugin for SonarQube 7.9 to 9.1

Integrates dependency updates report from versions-maven-plugin into SonarQube v7.9. The plugin is compatible to SonarQube versions 7.9 to 9.1.

About dependency updates report

The versions-maven-plugin has the goal dependency-updates-report which creates an overview about available updates for the dependencies of a Maven project. There can be incremental, minor or major version updates.

Note

This SonarQube plugin does not perform analysis, rather, it reads existing dependency-updates-reports. Please refer to versions-maven-plugin for relevant documentation how to generate the reports.

Metrics

The plugin keeps track of the following statistics:

Metric Description
Dependencies to patch The number of dependencies with patches available (incremental updates).
Dependencies to patch (Ratio) The ratio of dependencies to patch.
Dependencies to upgrade The number of dependencies with upgrades available (minor and/or major updates).
Dependencies to upgrade (Ratio) The ratio of dependencies to upgrade.
Dependencies Total The total number of dependencies.
Patch maintenance The rating of the patch maintenance (see below)
Patches missed The total number of patches missed.
Upgrade maintenance The rating of the upgrade maintenance (see below)
Upgrades missed The total number of upgrades missed.

Please note that when computing measures on directory/module/project level measures for identical dependencies will be included only once. E.g. if a project contains two sub models having same dependency, this is included in the measure for each sub module. For the project the measure will not include the dependency multiple times (for each sub module) but only once.

Maintenance rating

The maintenance rating is based on the ratio of dependencies with patches/upgrades and the total number of dependencies. The ratios of <=5%, <=10%, <=20%, <=50% and >50% are the guidelines to define the rating. There are slightly adoptions for projects with less than 50 dependencies.

This metric is not final. For now the rating is calculated the following way.

Ratings a b c d e
Ratio <=~5% <=~10% <=~20% <=~50% >50%
0 - 10 dependencies 0 1 2 3-5 >5
11 - 20 dependencies 0-1 2-3 4-5 6-10 >10
21 - 50 dependencies 0-2 3-5 6-10 11-25 >25
50 - dependencies 0-5 6-10 11-20 21-50 >50

Installation

Copy the plugin (jar file) to $SONAR_INSTALL_DIR/extensions/plugins and restart SonarQube.

Plugin Configuration

The versions-maven-plugin will output a file named 'dependency-updates-report.xml' when asked to output XML. The mathan-dependency-updates-sonar-plugin reads an existing dependency updates XML report.

There is additional configuration available which enables to override the default mapping from available updates to SonarQube severity. It is also possible to include or exclude certain dependencies for the check. Reducing or raising the severity for dependencies can be done too.

Artifact pattern syntax

The filters defined are using a special artifact pattern syntax already known from Maven extended to allow a comma separated list of such patterns.

The pattern is defined like this: [groupId]:[artifactId]:[type]:[version]:[scope]:[classifier].

Each pattern segment is optional and supports full and partial * wildcards. An empty pattern segment is treated as an implicit wildcard. For example, org.apache.* would match all artifacts whose group id started with org.apache., and :::*-SNAPSHOT would match all snapshot artifacts.

Configuration properties

This plugin offers various configuration options which are explained in the following categories. The settings can be found under Administration > Configuration > General Settings > Dependency-Updates.

Appearance

By default 9 metrics will be reported. With the following configuration metrics for ratio, rating and missed patches/upgrades can be hidden. Changes to the setting in this category need a restart of SonarQube to take effect.

Property Default
Hide missed measures false
Hide rating measures false
Hide ratio mesasures false

Default Severity

For each kind of update for a dependency the default severity can be defined. This results in all issues for available updates of a kind to be created with this severity. All possible severities can be used as value. (INFO, MINOR, MAJOR, CRITICAL, BLOCKER)

Property Default
sonar.dependencyUpdates.updateIncremental Severity.MINOR
sonar.dependencyUpdates.updateMinor Severity.MAJOR
sonar.dependencyUpdates.updateMajor Severity.CRITICAL

Inclusions/ Exclusions

By default updates for all dependencies are reported. A whitelist filter and/or a blacklist filter can be used to include/exclude certain dependencies. These filter use the artifact pattern syntax described above. Some common use cases for the filter are

  • exclude SNAPSHOT dependencies (:::*-SNAPSHOT)
  • exclude dependencies with scope test (::::test)
  • include dependencies of own company only (e.g com.mycompany.*)
Property Default
sonar.dependencyUpdates.inclusions ::::: (include all)
sonar.dependencyUpdates.exclusions (none)

Overrides

In addition to global inclusion/exclusion filter and the option to define the default severity for the kind of updates, overrides can be defined for all severities. Using such a whitelist filter will report updates found for matching dependencies with the regarding severity. Some common use cases for the filter is

  • increase severity for security related dependencies
Property Default
sonar.dependencyUpdates.override.info (none)
sonar.dependencyUpdates.override.minor (none)
sonar.dependencyUpdates.override.major (none)
sonar.dependencyUpdates.override.critical (none)
sonar.dependencyUpdates.override.blocker (none)

Versions

versions-maven-plugin by default reports all versions available in the configured repositories. Especially some libraries are releasing non-standard alpha, beta, release candidate or milestone versions. In general such libraries should not be reported by this plugin. Therefore the following configuration property is excluding these versions by default. It is also possible to configure this for the versions-maven-plugin but then it has to be done for each project or global to maven.

Property Default
sonar.dependencyUpdates.versionExclusionRegex .*\[-_\\.\]\(alpha|Alpha|ALPHA|beta|Beta|BETA|rc|RC|milestone|M|EA\)\[-_\\.\]?\[0-9\]*

The second configuration in the Versions category is related to the sub versions reported for minor and major updated. versions-maven-plugin will report available patches for minor updates as discrete versions as it will also report available minors for major updates. As if a minor or major update is done, usually the latest patch/minor update is taken respectively. So the following configuration will exclude additional patches available for minor updates and additional minors available for major updates. It is enabled by default.

Property Default
sonar.dependencyUpdates.discreteMinorMajor true

Sample for a dependency with version 1.1.0

Reported by versions-maven-plugin Recognized (configuration is false) Recognized (configuration is true)
minor updates 1.2.0, 1.2.1, 1.2.2, 1.3.0 4 (1.2.0, 1.2.1, 1.2.2, 1.3.0) 2 (1.2.2, 1.3.0)
major updates 2.0.0, 2.1.0, 2.2.0, 3.0.0, 4.0.0 5 (2.0.0, 2.1.0, 2.2.0, 3.0.0, 4.0.0) 3 (2.2.0, 3.0.0, 4.0.0)