James Richardson created BATIK-1391:
---------------------------------------
Summary: Correct SCM URL in POM to point to GitHub
Key: BATIK-1391
URL: https://issues.apache.org/jira/browse/BATIK-1391
Project: Batik
Issue Type: Improvement
Components: Build Tools
Affects Versions: 1.19
Reporter: James Richardson
[pom.xml|https://github.com/apache/xmlgraphics-batik/blob/main/pom.xml#L190]
contains the following:
{code:xml}
<scm>
<connection>scm:svn:https://svn.apache.org/repos/asf/xmlgraphics/batik/trunk/</connection>
<url>scm:svn:https://svn.apache.org/repos/asf/xmlgraphics/batik/trunk/</url>
<developerConnection></developerConnection>
</scm>
{code}
This results in the source control URL in the Maven central repo pointing to
svn.apache.org (see
[https://central.sonatype.com/artifact/org.apache.xmlgraphics/batik-transcoder]).
This is a problem for us because we generate an [SBOM|https://cyclonedx.org/]
from our Gradle build, and that SBOM will then contain this:
{code:json}
{
"url" :
"scm:svn:https://svn.apache.org/repos/asf/xmlgraphics/batik/trunk/batik-transcoder/";,
"type" : "vcs"
}
{code}
That SBOM is then used (among other things) to do something called "OSS
Qualification", which assigns a score between 0 and 10 to each of our OSS
components, based on criteria such as: how many contributors it has, how
recently it was updated, etc..
If the SBOM points to the old svn.apache.org repo, then our OSS Qualification
process can't carry out those checks on the Batik components. I think it must
only work on GitHub, and perhaps some other popular OSS repos - anything repo
that can give it the metrics it needs.
I believe that if the SCM URL in the POM was updated to point to GitHub, then
we wouldn't need to work around this issue in our SBOM generation process or
our OSS Qualification process.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
