Re: is there a maven plugin to identify ancient pom dependencies

2019-12-23 Thread Maarten Mulders 
Good catch, Mark. I wouldn't have guessed from the README or the 
announcement [1].
Indeed, this implementation seems based on some assumption about central 
repository behaviour.
If your repository manager would set that header to the date the 
artifact was released, it might be of help. But I, for one, wouldn't 
trust on that assumption alone.


Cheers,

Maarten

[1] https://twitter.com/royvanrijn/status/803902527360159744

On December 23, 2019 at 14:53, Mark Prins wrote:


On 21-12-19 21:02, Maarten Mulders wrote:

Maybe this can help you: 
https://github.com/portofrotterdam/versiondebt-plugin
As far as I can see, it doesn't allow you to configure "what is old". 
It does tell you how old dependencies are.


not really; it seems that it uses the "last modified" from a 
URLConnection to the artifact in a repository, so unlikely to provide a 
date related to the time of release. it will be unreliable in any 
situation that a maven proxy is used.


see:
https://github.com/portofrotterdam/versiondebt-plugin/blob/e500e2d2a1fce4eb350633c7515b04107dae42d6/versiondebt-maven-plugin/src/main/java/com/portofrotterdam/versiondebt/VersiondebtMojo.java#L218-L229

Important disclaimer at the end of the page: it isn't maintained on a 
regular basis.


Cheers,

Maarten

On December 21, 2019 at 18:50, Enrico Olivelli wrote:

Something like this:
https://www.mojohaus.org/versions-maven-plugin/display-dependency-updates-mojo.html 
Hope that helps

Enrico

Il sab 21 dic 2019, 18:31 mark  ha scritto:

On 2019-12-20 13:39, Marlow, Andrew wrote:
Hello everyone,

I am using the owasp maven dependency plugin to tell me when I am
using components that have CVEs. That's great. I was wondering if
there was something similar that would tell me when I am using very
old components (where the judgement about what is old is configurable,
e.g number of years, months etc).

never seen one, it would be hard without querying the source repository
for the release tag/branch for the moment the release was cut (which is
problematic in case a minimal release pom is in use. The current pom
does not have this/a timestamp for this and you cannot use the file 
date.


I guess you could look at the date of the (class) files inside the
artifact (jar) to determine build/release date, not sure how that would
work out with shaded dependencies or provided manifest files

-M

*Andrew Marlow*

Software Engineer Specialist, Apex

38^th Floor, 25 Canada Square,

Canary Wharf, London E14 5LQ

*T*:  020-8081-2367 / 07966-451-521
*E*: andrew.mar...@fisglobal.com 

*FIS | Advancing the way the world pays, banks and invests(tm) *

cid:image004.png@01D542DF.1DA72090
cid:image005.png@01D542DF.1DA72090
cid:image008.png@01D542DF.1DA72090


The information contained in this message is proprietary and/or
confidential jadajadajada...
-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Re: is there a maven plugin to identify ancient pom dependencies

2019-12-23 Thread Mark Prins 



On 21-12-19 21:02, Maarten Mulders wrote:
Maybe this can help you: 
https://github.com/portofrotterdam/versiondebt-plugin
As far as I can see, it doesn't allow you to configure "what is old". It 
does tell you how old dependencies are.


not really; it seems that it uses the "last modified" from a 
URLConnection to the artifact in a repository, so unlikely to provide a 
date related to the time of release. it will be unreliable in any 
situation that a maven proxy is used.


see:
https://github.com/portofrotterdam/versiondebt-plugin/blob/e500e2d2a1fce4eb350633c7515b04107dae42d6/versiondebt-maven-plugin/src/main/java/com/portofrotterdam/versiondebt/VersiondebtMojo.java#L218-L229


Important disclaimer at the end of the page: it isn't maintained on a 
regular basis.


Cheers,

Maarten

On December 21, 2019 at 18:50, Enrico Olivelli wrote:


Something like this:
https://www.mojohaus.org/versions-maven-plugin/display-dependency-updates-mojo.html 



Hope that helps
Enrico

Il sab 21 dic 2019, 18:31 mark  ha scritto:

On 2019-12-20 13:39, Marlow, Andrew wrote:
Hello everyone,

I am using the owasp maven dependency plugin to tell me when I am
using components that have CVEs. That's great. I was wondering if
there was something similar that would tell me when I am using very
old components (where the judgement about what is old is configurable,
e.g number of years, months etc).

never seen one, it would be hard without querying the source repository
for the release tag/branch for the moment the release was cut (which is
problematic in case a minimal release pom is in use. The current pom
does not have this/a timestamp for this and you cannot use the file date.

I guess you could look at the date of the (class) files inside the
artifact (jar) to determine build/release date, not sure how that would
work out with shaded dependencies or provided manifest files

-M

*Andrew Marlow*

Software Engineer Specialist, Apex

38^th Floor, 25 Canada Square,

Canary Wharf, London E14 5LQ

*T*:  020-8081-2367 / 07966-451-521
*E*: andrew.mar...@fisglobal.com 

*FIS | Advancing the way the world pays, banks and invests(tm) *

cid:image004.png@01D542DF.1DA72090
cid:image005.png@01D542DF.1DA72090
cid:image008.png@01D542DF.1DA72090


The information contained in this message is proprietary and/or
confidential jadajadajada...


-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Re: is there a maven plugin to identify ancient pom dependencies

2019-12-21 Thread Maarten Mulders 
Maybe this can help you: 
https://github.com/portofrotterdam/versiondebt-plugin
As far as I can see, it doesn't allow you to configure "what is old". It 
does tell you how old dependencies are.
Important disclaimer at the end of the page: it isn't maintained on a 
regular basis.


Cheers,

Maarten

On December 21, 2019 at 18:50, Enrico Olivelli wrote:


Something like this:
https://www.mojohaus.org/versions-maven-plugin/display-dependency-updates-mojo.html

Hope that helps
Enrico

Il sab 21 dic 2019, 18:31 mark  ha scritto:

On 2019-12-20 13:39, Marlow, Andrew wrote:
Hello everyone,

I am using the owasp maven dependency plugin to tell me when I am
using components that have CVEs. That's great. I was wondering if
there was something similar that would tell me when I am using very
old components (where the judgement about what is old is configurable,
e.g number of years, months etc).

never seen one, it would be hard without querying the source repository
for the release tag/branch for the moment the release was cut (which is
problematic in case a minimal release pom is in use. The current pom
does not have this/a timestamp for this and you cannot use the file 
date.


I guess you could look at the date of the (class) files inside the
artifact (jar) to determine build/release date, not sure how that would
work out with shaded dependencies or provided manifest files

-M

*Andrew Marlow*

Software Engineer Specialist, Apex

38^th Floor, 25 Canada Square,

Canary Wharf, London E14 5LQ

*T*:  020-8081-2367 / 07966-451-521
*E*: andrew.mar...@fisglobal.com 

*FIS | Advancing the way the world pays, banks and invests(tm) *

cid:image004.png@01D542DF.1DA72090
cid:image005.png@01D542DF.1DA72090
cid:image008.png@01D542DF.1DA72090


The information contained in this message is proprietary and/or
confidential jadajadajada...


-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Re: is there a maven plugin to identify ancient pom dependencies

2019-12-21 Thread Enrico Olivelli 
Something like this:
https://www.mojohaus.org/versions-maven-plugin/display-dependency-updates-mojo.html

Hope that helps
Enrico

Il sab 21 dic 2019, 18:31 mark  ha scritto:

> On 2019-12-20 13:39, Marlow, Andrew wrote:
> >
> > Hello everyone,
> >
> > I am using the owasp maven dependency plugin to tell me when I am
> > using components that have CVEs. That’s great. I was wondering if
> > there was something similar that would tell me when I am using very
> > old components (where the judgement about what is old is configurable,
> > e.g number of years, months etc).
> >
>
> never seen one, it would be hard without querying the source repository
> for the release tag/branch for the moment the release was cut (which is
> problematic in case a minimal release pom is in use. The current pom
> does not have this/a timestamp for this and you cannot use the file date.
>
> I guess you could look at the date of the (class) files inside the
> artifact (jar) to determine build/release date, not sure how that would
> work out with shaded dependencies or provided manifest files
>
>
> -M
>
> > *Andrew Marlow*
> >
> > Software Engineer Specialist, Apex
> >
> > 38^th Floor, 25 Canada Square,
> >
> > Canary Wharf, London E14 5LQ
> >
> > *T*:  020-8081-2367 / 07966-451-521
> > *E*: andrew.mar...@fisglobal.com 
> >
> > *FIS | Advancing the way the world pays, banks and invests™ *
> >
> > cid:image004.png@01D542DF.1DA72090
> > cid:image005.png@01D542DF.1DA72090
> > cid:image008.png@01D542DF.1DA72090
> > 
> >
> > The information contained in this message is proprietary and/or
> > confidential jadajadajada...
>
>

Re: is there a maven plugin to identify ancient pom dependencies

2019-12-21 Thread mark 

On 2019-12-20 13:39, Marlow, Andrew wrote:


Hello everyone,

I am using the owasp maven dependency plugin to tell me when I am 
using components that have CVEs. That’s great. I was wondering if 
there was something similar that would tell me when I am using very 
old components (where the judgement about what is old is configurable, 
e.g number of years, months etc).




never seen one, it would be hard without querying the source repository 
for the release tag/branch for the moment the release was cut (which is 
problematic in case a minimal release pom is in use. The current pom 
does not have this/a timestamp for this and you cannot use the file date.


I guess you could look at the date of the (class) files inside the 
artifact (jar) to determine build/release date, not sure how that would 
work out with shaded dependencies or provided manifest files



-M


*Andrew Marlow*

Software Engineer Specialist, Apex

38^th Floor, 25 Canada Square,

Canary Wharf, London E14 5LQ

*T*:  020-8081-2367 / 07966-451-521
*E*: andrew.mar...@fisglobal.com 

*FIS | Advancing the way the world pays, banks and invests™ *

cid:image004.png@01D542DF.1DA72090 
cid:image005.png@01D542DF.1DA72090 
cid:image008.png@01D542DF.1DA72090 



The information contained in this message is proprietary and/or 
confidential jadajadajada...