{"id":23521238,"url":"https://github.com/leplusorg/docker-maven-check-versions","last_synced_at":"2025-04-19T19:42:08.828Z","repository":{"id":64803774,"uuid":"571065556","full_name":"leplusorg/docker-maven-check-versions","owner":"leplusorg","description":"Docker container to run the Maven Versions plugin. ","archived":false,"fork":false,"pushed_at":"2025-04-10T11:32:26.000Z","size":505,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-10T12:53:01.540Z","etag":null,"topics":["cli","dependency-analysis","docker","docker-container","docker-image","dockerfile","maven","maven-versions-plugin"],"latest_commit_sha":null,"homepage":"https://hub.docker.com/r/leplusorg/maven-check-versions","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/leplusorg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-11-27T03:20:08.000Z","updated_at":"2025-04-10T11:32:29.000Z","dependencies_parsed_at":"2023-12-25T17:34:47.003Z","dependency_job_id":"180b763c-6ce0-4ffd-b272-4c5176181b57","html_url":"https://github.com/leplusorg/docker-maven-check-versions","commit_stats":{"total_commits":60,"total_committers":2,"mean_commits":30.0,"dds":"0.033333333333333326","last_synced_commit":"12ddbbeb1eb7187c4c16e82e8828e6f0967e9ea8"},"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/leplusorg%2Fdocker-maven-check-versions","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/leplusorg%2Fdocker-maven-check-versions/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/leplusorg%2Fdocker-maven-check-versions/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/leplusorg%2Fdocker-maven-check-versions/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/leplusorg","download_url":"https://codeload.github.com/leplusorg/docker-maven-check-versions/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249783329,"owners_count":21325092,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","dependency-analysis","docker","docker-container","docker-image","dockerfile","maven","maven-versions-plugin"],"created_at":"2024-12-25T17:11:28.497Z","updated_at":"2025-04-19T19:42:08.822Z","avatar_url":"https://github.com/leplusorg.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Maven Check Versions\n\nDocker container to run the Maven Versions plugin.\n\n[![Dockerfile](https://img.shields.io/badge/GitHub-Dockerfile-blue)](https://img.shields.io/badge/GitHub-Dockerfile-blue)](maven-check-versions/Dockerfile)\n[![Docker Build](https://github.com/leplusorg/docker-maven-check-versions/workflows/Docker/badge.svg)](https://github.com/leplusorg/docker-maven-check-versions/actions?query=workflow:\"Docker\")\n[![Docker Stars](https://img.shields.io/docker/stars/leplusorg/maven-check-versions)](https://hub.docker.com/r/leplusorg/maven-check-versions)\n[![Docker Pulls](https://img.shields.io/docker/pulls/leplusorg/maven-check-versions)](https://hub.docker.com/r/leplusorg/maven-check-versions)\n[![Docker Version](https://img.shields.io/docker/v/leplusorg/maven-check-versions?sort=semver)](https://hub.docker.com/r/leplusorg/maven-check-versions)\n[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/10080/badge)](https://bestpractices.coreinfrastructure.org/projects/10080)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/leplusorg/docker-maven-check-versions/badge)](https://securityscorecards.dev/viewer/?uri=github.com/leplusorg/docker-maven-check-versions)\n\n## Purpose\n\nThis containers is meant to be used in CI/CD pipeline to detect when newer versions of Maven dependencies or plugins are avaible.\n\n## Requirements\n\nThe image comes with Maven installed so it only needs a pom.xml to analyze. However if you want to control the version of Maven to be used instead, just make sure that there is a Maven wrapper script (mvnw) pointing to that version next to the pom.xml. For more information on how to install the maven wrapper in your project, see the [documentation](https://maven.apache.org/wrapper/).\n\nThe script uses the Versions plugin (more details [here](https://www.mojohaus.org/versions-maven-plugin/)). By default Maven will use the latest version of the plugin that it supports but you can set the desired version inside your pom.xml:\n\n```xml\n\u003cproperties\u003e\n  ...\n  \u003cmaven.versions.plugin\u003e2.14.0\u003c/maven.versions.plugin\u003e\n  ...\n\u003c/properties\u003e\n...\n\u003cbuild\u003e\n  \u003cpluginManagement\u003e\n    \u003cplugins\u003e\n      ...\n      \u003cplugin\u003e\n        \u003cgroupId\u003eorg.codehaus.mojo\u003c/groupId\u003e\n        \u003cartifactId\u003eversions-maven-plugin\u003c/artifactId\u003e\n        \u003cversion\u003e${maven.versions.plugin}\u003c/version\u003e\n      \u003c/plugin\u003e\n      ...\n    \u003c/plugins\u003e\n  \u003c/pluginManagement\u003e\n\u003c/build\u003e\n```\n\n## GitHub\n\nTo use this container in a GitHub worklow, add the following action file `.github/workflows/maven-check-versions.yml` to your project:\n\n```yaml\n---\nname: Maven Check Versions\n\non:\n  schedule:\n    - cron: \"0 0 * * 0\"\n  workflow_dispatch:\n\npermissions: {}\n\njobs:\n  check:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7\n      - name: Check the versions\n        uses: docker://leplusorg/maven-check-versions:3.9.8@sha256:83d9758a4a0626f58376924c602919f14a782aa49e5e2bfb86de1f797de16cdd\n```\n\nThis way the action can be triggered manually and otherwise it runs\nautomatically once per week.\n\n## GitLab\n\nTo use this container in a GitLab step, add the following step to the stage of your choice:\n\n```yaml\nmaven check versions:\n  image:\n    name: leplusorg/maven-check-versions:3.9.8@sha256:83d9758a4a0626f58376924c602919f14a782aa49e5e2bfb86de1f797de16cdd\n  script:\n    - \"/opt/maven-check-versions.sh\"\n```\n\n## Ignoring versions\n\nYou can define which versions should be ignored using the\n`IGNORED_VERSIONS` OS environment variable which will be passed to the\nmaven versions plugin as `maven.version.ignore` (see\n[here](https://www.mojohaus.org/versions/versions-maven-plugin/version-rules.html#Using_the_maven.version.ignore_property)\nfor details). For example, you can set `IGNORED_VERSIONS` to\n`(?i).+-(alpha|beta).+,(?i).+-m\\\\d+,(?i).+-rc\\\\d+` to ignore alpha,\nbeta, mark or release candidate versions.\n\n## Manually using Docker\n\n**Mac/Linux**\n\n```bash\ndocker run --rm -t --user=\"$(id -u):$(id -g)\" -v \"$(pwd):/opt/project\" leplusorg/maven-check-versions\n```\n\n**Windows**\n\nIn `cmd`:\n\n```batch\ndocker run --rm -t -v \"%cd%:/opt/project\" leplusorg/maven-check-versions\n```\n\nIn PowerShell:\n\n```pwsh\ndocker run --rm -t -v \"${PWD}:/opt/project\" leplusorg/maven-check-versions\n```\n\n## Software Bill of Materials (SBOM)\n\nTo get the SBOM for the latest image (in SPDX JSON format), use the\nfollowing command:\n\n```bash\ndocker buildx imagetools inspect leplusorg/maven-check-versions --format '{{ json (index .SBOM \"linux/amd64\").SPDX }}'\n```\n\nReplace `linux/amd64` by the desired platform (`linux/amd64`, `linux/arm64` etc.).\n\n### Sigstore\n\n[Sigstore](https://docs.sigstore.dev) is trying to improve supply\nchain security by allowing you to verify the origin of an\nartifcat. You can verify that the jar that you use was actually\nproduced by this repository. This means that if you verify the\nsignature of the ristretto jar, you can trust the integrity of the\nwhole supply chain from code source, to CI/CD build, to distribution\non Maven Central or whever you got the jar from.\n\nYou can use the following command to verify the latest image using its\nsigstore signature attestation:\n\n```bash\ncosign verify leplusorg/maven-check-versions --certificate-identity-regexp 'https://github\\.com/leplusorg/docker-maven-check-versions/\\.github/workflows/.+' --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'\n```\n\nThe output should look something like this:\n\n```text\nVerification for index.docker.io/leplusorg/xml:main --\nThe following checks were performed on each of these signatures:\n  - The cosign claims were validated\n  - Existence of the claims in the transparency log was verified offline\n  - The code-signing certificate was verified using trusted certificate authority certificates\n\n[{\"critical\":...\n```\n\nFor instructions on how to install `cosign`, please read this [documentation](https://docs.sigstore.dev/cosign/system_config/installation/).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fleplusorg%2Fdocker-maven-check-versions","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fleplusorg%2Fdocker-maven-check-versions","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fleplusorg%2Fdocker-maven-check-versions/lists"}