is there a maven plugin to identify ancient pom dependencies

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

is there a maven plugin to identify ancient pom dependencies

Marlow, Andrew

Hello everyone,

 

I am using the owasp maven dependency plugin to tell me when I am using components that have CVEs. That’s great. I was wondering if there was something similar that would tell me when I am using very old components (where the judgement about what is old is configurable, e.g number of years, months etc).

 

Andrew Marlow

Software Engineer Specialist, Apex

38th Floor, 25 Canada Square,

Canary Wharf, London E14 5LQ

T:  020-8081-2367 / 07966-451-521
E
[hidden email]

 

FIS | Advancing the way the world pays, banks and invests™ 

 

The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. FIS is a trading name of the following companies: Advanced Portfolio Technologies Ltd (No: 6312142) | Clear2Pay Limited (No: 5792457) | Decalog (UK) Limited (No: 2567370) | FIS Apex (International) Limited (No: 2999960) | FIS Apex (UK) Limited (No. 3573008) | FIS Consulting Services (UK) Limited (No: 2486794) | FIS Derivatives Utility Services (UK) Limited (No: 9398140) | FIS Energy Solutions Limited (No: 1889028) | FIS Global Execution Services Limited (No. 3127109) | FIS Global Trading (UK) Limited (No: 2523114) | FIS Investment Systems (UK) Limited (No: 1366010) | FIS Sherwood Systems Group Limited (No: 982833) | FIS Systems Limited (No: 1937159) | FIS Treasury Systems (Europe) Limited (No: 2624209) | FIS Treasury Systems (UK) Limited (No: 2893376) | GL Settle Limited (No: 2396127) | Integrity Treasury Solutions Europe Limited (No: 3289271) | Monis Software Limited (No: 2333925) | Reech Capital Limited (No: 3649490) | Solutions Plus Consulting Services Limited (No: 3839487) | Valuelink Information Services Limited (No: 3827424) all registered in England & Wales with their registered office at 25 Canada Square, London E14 5LQ | FIS Global Execution Services Limited is authorised and regulated by the Financial Conduct Authority | Certegy Card Services Limited (No: 3517639) | Certegy France Limited (No: 2557650) | eFunds International Limited (No: 1930117) | Fidelity Information Services Limited (No: 2225203) | FIS Payments (UK) Limited (No: 4215488) | Metavante Technologies Limited (No: 2659326) all registered in England & Wales with their registered office at 1st Floor Tricorn House, 51-53 Hagley Road, Edgbaston, Birmingham, West Midlands, B16 8TU, United Kingdom | FIS Payments (UK) Limited is authorised and regulated by the Financial Conduct Authority; some services are covered by the Financial Ombudsman Service (in the UK). Clear2Pay Limited, Registered in Scotland (No SC157659), Registered Office: Clear2Pay House, Pitreavie Court, Pitreavie Business Park Queensferry Rd, Dunfermline, Fife, SS, KY11 8UU, Scotland | FIS eProcess Intelligence LLC (UK Branch), UK Establishment Registered in England & Wales (No: FC16527/Branch No. BR000355), Registered Branch Office: 25 Canada Square, London, E14 5LQ; FIS eProcess Intelligence LLC is a limited liability company formed in the USA registered on file with the Office of the Delaware Secretary of State, Division of Corporations (File No. 2032143), Head Office: 601 Riverside Avenue, Jacksonville Florida, FL32204, USA | FIS Investment Systems LLC, UK Establishment Registered in England & Wales (No: FC033836/Branch No. BR018923), Registered Branch Office: 25 Canada Square, London, E14 5LQ; FIS Investment Systems LLC is a limited liability company formed in the USA registered on file with the Office of the Delaware Secretary of State, Division of Corporations (File No. 0881255), Head Office: 377 E. Butterfield Road, Suite 800, Lombard, IL 60148, USA | Calls to and from the companies may be recorded for quality purposes. | All of the named companies are part of FIS (Fidelity National Information Services, Inc.).
Reply | Threaded
Open this post in threaded view
|

Re: is there a maven plugin to identify ancient pom dependencies

Mark Prins
On 2019-12-20 13:39, Marlow, Andrew wrote:
>
> Hello everyone,
>
> I am using the owasp maven dependency plugin to tell me when I am
> using components that have CVEs. That’s great. I was wondering if
> there was something similar that would tell me when I am using very
> old components (where the judgement about what is old is configurable,
> e.g number of years, months etc).
>

never seen one, it would be hard without querying the source repository
for the release tag/branch for the moment the release was cut (which is
problematic in case a minimal release pom is in use. The current pom
does not have this/a timestamp for this and you cannot use the file date.

I guess you could look at the date of the (class) files inside the
artifact (jar) to determine build/release date, not sure how that would
work out with shaded dependencies or provided manifest files


-M

> *Andrew Marlow*
>
> Software Engineer Specialist, Apex
>
> 38^th Floor, 25 Canada Square,
>
> Canary Wharf, London E14 5LQ
>
> *T*:  020-8081-2367 / 07966-451-521
> *E*: [hidden email] <mailto:[hidden email]>
>
> *FIS | Advancing the way the world pays, banks and invests™ *
>
> cid:image004.png@01D542DF.1DA72090
> <https://www.facebook.com/FIStoday>cid:image005.png@01D542DF.1DA72090
> <https://twitter.com/FISGlobal>cid:image008.png@01D542DF.1DA72090
> <https://www.linkedin.com/company/fis>
>
> The information contained in this message is proprietary and/or
> confidential jadajadajada...

Reply | Threaded
Open this post in threaded view
|

Re: is there a maven plugin to identify ancient pom dependencies

Enrico Olivelli
Something like this:
https://www.mojohaus.org/versions-maven-plugin/display-dependency-updates-mojo.html

Hope that helps
Enrico

Il sab 21 dic 2019, 18:31 mark <[hidden email]> ha scritto:

> On 2019-12-20 13:39, Marlow, Andrew wrote:
> >
> > Hello everyone,
> >
> > I am using the owasp maven dependency plugin to tell me when I am
> > using components that have CVEs. That’s great. I was wondering if
> > there was something similar that would tell me when I am using very
> > old components (where the judgement about what is old is configurable,
> > e.g number of years, months etc).
> >
>
> never seen one, it would be hard without querying the source repository
> for the release tag/branch for the moment the release was cut (which is
> problematic in case a minimal release pom is in use. The current pom
> does not have this/a timestamp for this and you cannot use the file date.
>
> I guess you could look at the date of the (class) files inside the
> artifact (jar) to determine build/release date, not sure how that would
> work out with shaded dependencies or provided manifest files
>
>
> -M
>
> > *Andrew Marlow*
> >
> > Software Engineer Specialist, Apex
> >
> > 38^th Floor, 25 Canada Square,
> >
> > Canary Wharf, London E14 5LQ
> >
> > *T*:  020-8081-2367 / 07966-451-521
> > *E*: [hidden email] <mailto:[hidden email]>
> >
> > *FIS | Advancing the way the world pays, banks and invests™ *
> >
> > cid:image004.png@01D542DF.1DA72090
> > <https://www.facebook.com/FIStoday>cid:image005.png@01D542DF.1DA72090
> > <https://twitter.com/FISGlobal>cid:image008.png@01D542DF.1DA72090
> > <https://www.linkedin.com/company/fis>
> >
> > The information contained in this message is proprietary and/or
> > confidential jadajadajada...
>
>
Reply | Threaded
Open this post in threaded view
|

Re: is there a maven plugin to identify ancient pom dependencies

Maarten Mulders
Maybe this can help you:
https://github.com/portofrotterdam/versiondebt-plugin
As far as I can see, it doesn't allow you to configure "what is old". It
does tell you how old dependencies are.
Important disclaimer at the end of the page: it isn't maintained on a
regular basis.

Cheers,

Maarten

On December 21, 2019 at 18:50, Enrico Olivelli wrote:

> Something like this:
> https://www.mojohaus.org/versions-maven-plugin/display-dependency-updates-mojo.html
>
> Hope that helps
> Enrico
>
> Il sab 21 dic 2019, 18:31 mark <[hidden email]> ha scritto:
>
> On 2019-12-20 13:39, Marlow, Andrew wrote:
> Hello everyone,
>
> I am using the owasp maven dependency plugin to tell me when I am
> using components that have CVEs. That's great. I was wondering if
> there was something similar that would tell me when I am using very
> old components (where the judgement about what is old is configurable,
> e.g number of years, months etc).
>
> never seen one, it would be hard without querying the source repository
> for the release tag/branch for the moment the release was cut (which is
> problematic in case a minimal release pom is in use. The current pom
> does not have this/a timestamp for this and you cannot use the file
> date.
>
> I guess you could look at the date of the (class) files inside the
> artifact (jar) to determine build/release date, not sure how that would
> work out with shaded dependencies or provided manifest files
>
> -M
>
> *Andrew Marlow*
>
> Software Engineer Specialist, Apex
>
> 38^th Floor, 25 Canada Square,
>
> Canary Wharf, London E14 5LQ
>
> *T*:  020-8081-2367 / 07966-451-521
> *E*: [hidden email] <mailto:[hidden email]>
>
> *FIS | Advancing the way the world pays, banks and invests(tm) *
>
> cid:image004.png@01D542DF.1DA72090
> <https://www.facebook.com/FIStoday>cid:image005.png@01D542DF.1DA72090
> <https://twitter.com/FISGlobal>cid:image008.png@01D542DF.1DA72090
> <https://www.linkedin.com/company/fis>
>
> The information contained in this message is proprietary and/or
> confidential jadajadajada...

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: is there a maven plugin to identify ancient pom dependencies

Mark Prins

On 21-12-19 21:02, Maarten Mulders wrote:
> Maybe this can help you:
> https://github.com/portofrotterdam/versiondebt-plugin
> As far as I can see, it doesn't allow you to configure "what is old". It
> does tell you how old dependencies are.

not really; it seems that it uses the "last modified" from a
URLConnection to the artifact in a repository, so unlikely to provide a
date related to the time of release. it will be unreliable in any
situation that a maven proxy is used.

see:
https://github.com/portofrotterdam/versiondebt-plugin/blob/e500e2d2a1fce4eb350633c7515b04107dae42d6/versiondebt-maven-plugin/src/main/java/com/portofrotterdam/versiondebt/VersiondebtMojo.java#L218-L229


> Important disclaimer at the end of the page: it isn't maintained on a
> regular basis.
>
> Cheers,
>
> Maarten
>
> On December 21, 2019 at 18:50, Enrico Olivelli wrote:
>
>> Something like this:
>> https://www.mojohaus.org/versions-maven-plugin/display-dependency-updates-mojo.html 
>>
>>
>> Hope that helps
>> Enrico
>>
>> Il sab 21 dic 2019, 18:31 mark <[hidden email]> ha scritto:
>>
>> On 2019-12-20 13:39, Marlow, Andrew wrote:
>> Hello everyone,
>>
>> I am using the owasp maven dependency plugin to tell me when I am
>> using components that have CVEs. That's great. I was wondering if
>> there was something similar that would tell me when I am using very
>> old components (where the judgement about what is old is configurable,
>> e.g number of years, months etc).
>>
>> never seen one, it would be hard without querying the source repository
>> for the release tag/branch for the moment the release was cut (which is
>> problematic in case a minimal release pom is in use. The current pom
>> does not have this/a timestamp for this and you cannot use the file date.
>>
>> I guess you could look at the date of the (class) files inside the
>> artifact (jar) to determine build/release date, not sure how that would
>> work out with shaded dependencies or provided manifest files
>>
>> -M
>>
>> *Andrew Marlow*
>>
>> Software Engineer Specialist, Apex
>>
>> 38^th Floor, 25 Canada Square,
>>
>> Canary Wharf, London E14 5LQ
>>
>> *T*:  020-8081-2367 / 07966-451-521
>> *E*: [hidden email] <mailto:[hidden email]>
>>
>> *FIS | Advancing the way the world pays, banks and invests(tm) *
>>
>> cid:image004.png@01D542DF.1DA72090
>> <https://www.facebook.com/FIStoday>cid:image005.png@01D542DF.1DA72090
>> <https://twitter.com/FISGlobal>cid:image008.png@01D542DF.1DA72090
>> <https://www.linkedin.com/company/fis>
>>
>> The information contained in this message is proprietary and/or
>> confidential jadajadajada...
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: is there a maven plugin to identify ancient pom dependencies

Maarten Mulders
Good catch, Mark. I wouldn't have guessed from the README or the
announcement [1].
Indeed, this implementation seems based on some assumption about central
repository behaviour.
If your repository manager would set that header to the date the
artifact was released, it might be of help. But I, for one, wouldn't
trust on that assumption alone.

Cheers,

Maarten

[1] https://twitter.com/royvanrijn/status/803902527360159744

On December 23, 2019 at 14:53, Mark Prins wrote:

> On 21-12-19 21:02, Maarten Mulders wrote:
>
>> Maybe this can help you:
>> https://github.com/portofrotterdam/versiondebt-plugin
>> As far as I can see, it doesn't allow you to configure "what is old".
>> It does tell you how old dependencies are.
>
> not really; it seems that it uses the "last modified" from a
> URLConnection to the artifact in a repository, so unlikely to provide a
> date related to the time of release. it will be unreliable in any
> situation that a maven proxy is used.
>
> see:
> https://github.com/portofrotterdam/versiondebt-plugin/blob/e500e2d2a1fce4eb350633c7515b04107dae42d6/versiondebt-maven-plugin/src/main/java/com/portofrotterdam/versiondebt/VersiondebtMojo.java#L218-L229
>
> Important disclaimer at the end of the page: it isn't maintained on a
> regular basis.
>
> Cheers,
>
> Maarten
>
> On December 21, 2019 at 18:50, Enrico Olivelli wrote:
>
> Something like this:
> https://www.mojohaus.org/versions-maven-plugin/display-dependency-updates-mojo.html 
> Hope that helps
> Enrico
>
> Il sab 21 dic 2019, 18:31 mark <[hidden email]> ha scritto:
>
> On 2019-12-20 13:39, Marlow, Andrew wrote:
> Hello everyone,
>
> I am using the owasp maven dependency plugin to tell me when I am
> using components that have CVEs. That's great. I was wondering if
> there was something similar that would tell me when I am using very
> old components (where the judgement about what is old is configurable,
> e.g number of years, months etc).
>
> never seen one, it would be hard without querying the source repository
> for the release tag/branch for the moment the release was cut (which is
> problematic in case a minimal release pom is in use. The current pom
> does not have this/a timestamp for this and you cannot use the file
> date.
>
> I guess you could look at the date of the (class) files inside the
> artifact (jar) to determine build/release date, not sure how that would
> work out with shaded dependencies or provided manifest files
>
> -M
>
> *Andrew Marlow*
>
> Software Engineer Specialist, Apex
>
> 38^th Floor, 25 Canada Square,
>
> Canary Wharf, London E14 5LQ
>
> *T*:  020-8081-2367 / 07966-451-521
> *E*: [hidden email] <mailto:[hidden email]>
>
> *FIS | Advancing the way the world pays, banks and invests(tm) *
>
> cid:image004.png@01D542DF.1DA72090
> <https://www.facebook.com/FIStoday>cid:image005.png@01D542DF.1DA72090
> <https://twitter.com/FISGlobal>cid:image008.png@01D542DF.1DA72090
> <https://www.linkedin.com/company/fis>
>
> The information contained in this message is proprietary and/or
> confidential jadajadajada...
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]