Third party repository detection
alecharp opened this issue · comments
Description
Some plugins are using third party repositories to resolve dependencies.
Being able to detect those could be of interest for the infra team.
Idea from @lemeurherve and @dduportal
For instance:
Hi!
I would love to work on this issue
Hi everyone,
If a <url>
in pom.xml
does not start with https://repo.jenkins-ci.org/ui/packages
, does that mean it is a third-party package?
Should this be my approach to detect a third-party package?
@DanielS01ss I'm sorry, but as part of the GSoC project, it would be better if you could find another issue to work one. Those without the project GSoC 2023
are up for grab.
@Jagrutiti no really. This because you are project.url
which should point to the plugin repository (or somewhere in the repository) for the plugin documentation migration. But you have project.repositories
which should be a list of 1 or more elements. What we want is to detect if a plugin is using a repository which is not https://repo.jenkins-ci.org/public
.
Please see https://maven.apache.org/guides/introduction/introduction-to-repositories.html and sub-documentation to have more details.
The problem is not third-party packages. The problem is getting those packages from a place we (Jenkins community) have no knowledge about.
Note: please reuse what exists to parse the pom.xml
, aka use a library to read the POM file.
After discussing with @lemeurherve, we need to track everything that is downloaded outside of repo.jenkins-ci.org
. This also includes pluginRepositories
.
To continue the work further, learning more about effective-pom and how to run maven from java could prove helpful.
@alecharp Please add GSOC label