{"id":36419603,"url":"https://github.com/reallyinsane/mathan-dependency-updates-sonar-plugin","last_synced_at":"2026-01-11T17:05:09.855Z","repository":{"id":46203899,"uuid":"176163915","full_name":"reallyinsane/mathan-dependency-updates-sonar-plugin","owner":"reallyinsane","description":"Integrates dependency-updates-report into SonarQube","archived":false,"fork":false,"pushed_at":"2023-06-14T22:29:30.000Z","size":126,"stargazers_count":2,"open_issues_count":1,"forks_count":5,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-05-07T18:14:50.236Z","etag":null,"topics":["component-analysis","dependencies","metrics","security","sonar-plugin","sonarqube"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/reallyinsane.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-03-17T21:38:25.000Z","updated_at":"2021-11-15T20:58:58.000Z","dependencies_parsed_at":"2022-08-24T08:50:09.923Z","dependency_job_id":null,"html_url":"https://github.com/reallyinsane/mathan-dependency-updates-sonar-plugin","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/reallyinsane/mathan-dependency-updates-sonar-plugin","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reallyinsane%2Fmathan-dependency-updates-sonar-plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reallyinsane%2Fmathan-dependency-updates-sonar-plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reallyinsane%2Fmathan-dependency-updates-sonar-plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reallyinsane%2Fmathan-dependency-updates-sonar-plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/reallyinsane","download_url":"https://codeload.github.com/reallyinsane/mathan-dependency-updates-sonar-plugin/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reallyinsane%2Fmathan-dependency-updates-sonar-plugin/sbom","scorecard":{"id":766654,"data":{"date":"2025-08-11","repo":{"name":"github.com/reallyinsane/mathan-dependency-updates-sonar-plugin","commit":"6842a9a408cc56d1e8a56e348290a91e978a22ea"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.5,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/maven.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/maven.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/reallyinsane/mathan-dependency-updates-sonar-plugin/maven.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/maven.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/reallyinsane/mathan-dependency-updates-sonar-plugin/maven.yml/master?enable=pin","Info:   0 out of   2 GitHub-owned GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Code-Review","score":0,"reason":"Found 0/15 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v7.9.2 not signed: https://api.github.com/repos/reallyinsane/mathan-dependency-updates-sonar-plugin/releases/24525914","Warn: release artifact v7.9.2 does not have provenance: https://api.github.com/repos/reallyinsane/mathan-dependency-updates-sonar-plugin/releases/24525914"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 16 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":3,"reason":"7 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-78wr-2p64-hpwj","Warn: Project is vulnerable to: GHSA-j288-q9x7-2f5v","Warn: Project is vulnerable to: GHSA-rhgr-952r-6p8q","Warn: Project is vulnerable to: GHSA-2f88-5hg8-9x2x","Warn: Project is vulnerable to: GHSA-8vhq-qq4p-grq3","Warn: Project is vulnerable to: GHSA-g6ph-x5wf-g337","Warn: Project is vulnerable to: GHSA-jcwr-x25h-x5fh"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-23T01:02:31.472Z","repository_id":46203899,"created_at":"2025-08-23T01:02:31.472Z","updated_at":"2025-08-23T01:02:31.472Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28314264,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-11T14:58:17.114Z","status":"ssl_error","status_checked_at":"2026-01-11T14:55:53.580Z","response_time":60,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["component-analysis","dependencies","metrics","security","sonar-plugin","sonarqube"],"created_at":"2026-01-11T17:05:09.176Z","updated_at":"2026-01-11T17:05:09.850Z","avatar_url":"https://github.com/reallyinsane.png","language":"Java","readme":"![Maven metadata URI](https://img.shields.io/maven-metadata/v/http/central.maven.org/maven2/io/mathan/sonar/mathan-dependency-updates-sonar-plugin/maven-metadata.xml.svg)\n![example branch parameter](https://github.com/reallyinsane/mathan-dependency-updates-sonar-plugin/actions/workflows/maven.yml/badge.svg)\n[![Codacy Badge](https://api.codacy.com/project/badge/Grade/bcd46487fd2c4b79b930556275eec3d4)](https://www.codacy.com/app/reallyinsane/mathan-dependency-updates-sonar-plugin?utm_source=github.com\u0026amp;utm_medium=referral\u0026amp;utm_content=reallyinsane/mathan-dependency-updates-sonar-plugin\u0026amp;utm_campaign=Badge_Grade)\n\u003ca href=\"https://opensource.org/licenses/Apache-2.0\"\u003e\u003cimg src=\"https://img.shields.io/badge/license-apache2-blue.svg\"\u003e\u003c/a\u003e\n\n# Dependency-Updates-Report Plugin for SonarQube 7.9 to 9.1\n\nIntegrates [dependency updates report] from [versions-maven-plugin] into SonarQube v7.9. The plugin is compatible to SonarQube versions 7.9 to 9.1.\n\n## About dependency updates report\n\nThe [versions-maven-plugin] has the goal *dependency-updates-report* which creates an overview about available updates for the dependencies of a Maven project. There can be incremental, minor or major version updates.\n\n\n## Note\n\n**This SonarQube plugin does not perform analysis**, rather, it reads existing dependency-updates-reports. Please refer to [versions-maven-plugin] for relevant documentation how to generate the reports.\n\n## Metrics\n\nThe plugin keeps track of the following statistics:\n\nMetric | Description \n-------|------------\nDependencies to patch | The number of dependencies with patches available (incremental updates). \nDependencies to patch (Ratio) | The ratio of dependencies to patch. \nDependencies to upgrade | The number of dependencies with upgrades available (minor and/or major updates).\nDependencies to upgrade (Ratio) | The ratio of dependencies to upgrade.\nDependencies Total | The total number of dependencies.\nPatch maintenance | The rating of the patch maintenance (see below)\nPatches missed | The total number of patches missed. \nUpgrade maintenance | The rating of the upgrade maintenance (see below)\nUpgrades missed | The total number of upgrades missed. \n\nPlease note that when computing measures on directory/module/project level measures for identical dependencies will be included only once. E.g. if a project contains two sub models having same\ndependency, this is included in the measure for each sub module. For the project the measure will not include the dependency multiple times (for each sub module) but only once.\n\n#### Maintenance rating\n\nThe maintenance rating is based on the ratio of dependencies with patches/upgrades and the total number of dependencies. The ratios of \\\u003c=5%, \\\u003c=10%, \\\u003c=20%, \\\u003c=50% and \u003e50% are the guidelines to\ndefine the rating. There are slightly adoptions for projects with less than 50 dependencies.\n\n\nThis metric is not final. For now the rating is calculated the following way. \n\nRatings              | ![a](a.png) | ![b](b.png) | ![c](c.png) | ![d](d.png) | ![e](e.png)   \n---------------------|-------------|-------------|-------------|-------------|------------\nRatio                | \\\u003c=~5%      |  \\\u003c=~10%    | \\\u003c=~20%     | \\\u003c=~50%     | \\\u003e50%\n 0 - 10 dependencies | 0           |  1          |  2          |  3-5        | \\\u003e5\n11 - 20 dependencies | 0-1         |  2-3        |  4-5        |  6-10       | \\\u003e10\n21 - 50 dependencies | 0-2         |  3-5        |  6-10       |  11-25      | \\\u003e25\n50 -    dependencies | 0-5         |  6-10       |  11-20      |  21-50      | \\\u003e50\n\n## Installation\n\nCopy the plugin (jar file) to $SONAR_INSTALL_DIR/extensions/plugins and restart SonarQube.\n\n## Plugin Configuration\n\nThe [versions-maven-plugin] will output a file named 'dependency-updates-report.xml' when asked to output XML. The mathan-dependency-updates-sonar-plugin reads an existing dependency updates XML\nreport.\n\nThere is additional configuration available which enables to override the default mapping from available updates to SonarQube severity. It is also possible to include or exclude certain\ndependencies for the check. Reducing or raising the severity for dependencies can be done too. \n\n### Artifact pattern syntax \n \nThe filters defined are using a special artifact pattern syntax already known from Maven extended to allow a comma separated list of such patterns.\n \nThe pattern is defined like this: `[groupId]:[artifactId]:[type]:[version]:[scope]:[classifier]`. \n\nEach pattern segment is optional and supports full and partial * wildcards. An empty pattern segment is treated as an implicit wildcard. For example, `org.apache.*` would match all artifacts\nwhose group id started with `org.apache.`, and `:::*-SNAPSHOT` would match all snapshot artifacts.\n\n### Configuration properties\n\nThis plugin offers various configuration options which are explained in the following categories. The settings can be found under Administration \u003e Configuration \u003e General Settings \u003e Dependency-Updates.\n\n#### Appearance\n\nBy default 9 metrics will be reported. With the following configuration metrics for ratio, rating and missed patches/upgrades can be hidden. Changes to the setting in this category need a restart of\n SonarQube to take effect.\n \nProperty | Default\n---------|--------\nHide missed measures | false\nHide rating measures | false\nHide ratio mesasures | false \n\n#### Default Severity\n\nFor each kind of update for a dependency the default severity can be defined. This results in all issues for available updates of a kind to be created with this severity. All possible severities can\nbe used as value. (INFO, MINOR, MAJOR, CRITICAL, BLOCKER)\n\nProperty | Default\n---------|--------\nsonar.dependencyUpdates.updateIncremental | Severity.MINOR\nsonar.dependencyUpdates.updateMinor | Severity.MAJOR\nsonar.dependencyUpdates.updateMajor | Severity.CRITICAL\n\n#### Inclusions/ Exclusions\n\nBy default updates for all dependencies are reported. A whitelist filter and/or a blacklist filter can be used to include/exclude certain dependencies. These filter use the artifact pattern syntax\ndescribed above. Some common use cases for the filter are\n\n- exclude SNAPSHOT dependencies (`:::*-SNAPSHOT`)\n- exclude dependencies with scope test (`::::test`)\n- include dependencies of own company only (e.g `com.mycompany.*`)\n\nProperty | Default\n---------|--------\nsonar.dependencyUpdates.inclusions | `:::::` (include all)\nsonar.dependencyUpdates.exclusions | (none)\n\n#### Overrides\n\nIn addition to global inclusion/exclusion filter and the option to define the default severity for the kind of updates, overrides can be defined for all severities. Using such a whitelist filter\nwill report updates found for matching dependencies with the regarding severity. Some common use cases for the filter is\n\n- increase severity for security related dependencies\n\nProperty | Default\n---------|--------\nsonar.dependencyUpdates.override.info | (none)\nsonar.dependencyUpdates.override.minor | (none)\nsonar.dependencyUpdates.override.major | (none)\nsonar.dependencyUpdates.override.critical | (none)\nsonar.dependencyUpdates.override.blocker | (none)\n\n#### Versions\n\n[versions-maven-plugin] by default reports all versions available in the configured repositories. Especially some libraries are releasing non-standard alpha, beta, release candidate or milestone \nversions. In general such libraries should not be reported by this plugin. Therefore the following configuration property is excluding these versions by default. It is also possible to configure this\nfor the [versions-maven-plugin] but then it has to be done for each project or global to maven.\n\nProperty | Default\n---------|--------\nsonar.dependencyUpdates.versionExclusionRegex | `.*\\[-_\\\\.\\]\\(alpha\\|Alpha\\|ALPHA\\|beta\\|Beta\\|BETA\\|rc\\|RC\\|milestone\\|M\\|EA\\)\\[-_\\\\.\\]?\\[0-9\\]*`\n\nThe second configuration in the Versions category is related to the sub versions reported for minor and major updated. [versions-maven-plugin] will report available patches for minor updates as\ndiscrete versions as it will also report available minors for major updates. As if a minor or major update is done, usually the latest patch/minor update is taken respectively. So the following\nconfiguration will exclude additional patches available for minor updates and additional minors available for major updates. It is enabled by default. \n\nProperty | Default\n---------|--------\nsonar.dependencyUpdates.discreteMinorMajor | true\n\nSample for a dependency with version 1.1.0\n\nReported by [versions-maven-plugin] | Recognized (configuration is `false`) | Recognized (configuration is `true`)\n------------------------------------|---------------------------------------|-------------------------------------\nminor updates 1.2.0, 1.2.1, 1.2.2, 1.3.0 | 4 (1.2.0, 1.2.1, 1.2.2, 1.3.0) | 2 (1.2.2, 1.3.0)\nmajor updates 2.0.0, 2.1.0, 2.2.0, 3.0.0, 4.0.0 | 5 (2.0.0, 2.1.0, 2.2.0, 3.0.0, 4.0.0) | 3 (2.2.0, 3.0.0, 4.0.0)\n\n[dependency updates report]: https://www.mojohaus.org/versions-maven-plugin/dependency-updates-report-mojo.html\n[versions-maven-plugin]: https://github.com/mojohaus/versions-maven-plugin\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Freallyinsane%2Fmathan-dependency-updates-sonar-plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Freallyinsane%2Fmathan-dependency-updates-sonar-plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Freallyinsane%2Fmathan-dependency-updates-sonar-plugin/lists"}