{"id":20314613,"url":"https://github.com/release-engineering/redhat-repository-validator","last_synced_at":"2025-04-11T17:20:48.705Z","repository":{"id":2336101,"uuid":"10219737","full_name":"release-engineering/redhat-repository-validator","owner":"release-engineering","description":null,"archived":false,"fork":false,"pushed_at":"2023-12-05T21:54:58.000Z","size":607,"stargazers_count":11,"open_issues_count":17,"forks_count":14,"subscribers_count":10,"default_branch":"master","last_synced_at":"2025-04-06T23:46:56.124Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/release-engineering.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2013-05-22T12:50:53.000Z","updated_at":"2024-02-10T23:36:51.000Z","dependencies_parsed_at":"2022-09-06T15:41:19.014Z","dependency_job_id":"ef05ea22-f898-4231-bf10-5b6eda824f5b","html_url":"https://github.com/release-engineering/redhat-repository-validator","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/release-engineering%2Fredhat-repository-validator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/release-engineering%2Fredhat-repository-validator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/release-engineering%2Fredhat-repository-validator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/release-engineering%2Fredhat-repository-validator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/release-engineering","download_url":"https://codeload.github.com/release-engineering/redhat-repository-validator/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248447609,"owners_count":21105140,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-14T18:16:03.957Z","updated_at":"2025-04-11T17:20:48.681Z","avatar_url":"https://github.com/release-engineering.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"redhat-repository-validator\n===========================\n\n[![Build Status](https://travis-ci.org/thradec/redhat-repository-validator.png)](https://travis-ci.org/thradec/redhat-repository-validator)\n\n\n**redhat-repository-validator** is a tool used to validate the internal consistency of a maven artifact repository. It can also be used for validation of the associated distribution directory.\n\nReleased versions can be download from [Bintray](https://bintray.com/thradec/generic/redhat-repository-validator/). \n\n\nBuilding\n--------\n\n- prerequisites: Java, Maven and Git\n- clone project from github `$ git clone git@github.com:thradec/redhat-repository-validator.git`\n- go into the newly created directory `$ cd redhat-repository-validator`\n- and run maven build `$ mvn clean package`\n- executable distribution is available in `target/redhat-repository-validator-$VERSION` directory or zip file\n\n\nUsage\n-----\n\nThis tool can be run from command line via `redhat-repository-validator` script. The only prerequisite is Java 1.6 or greater on path.\n\nHere is help output: \n\n\n    redhat-repository-validator is a tool used to validate the internal consistency of a maven artifact repository.\n    \n    Usage: redhat-repository-validator [-c \u003cfile\u003e] [-h] [-lr \u003cdir\u003e] [-rr \u003curl\u003e] [-vr \u003cdir\u003e] [-vd \u003cdir\u003e]\n        -c,--config \u003cfile\u003e                 use given configuration file,\n                                           default value is `redhat-repository-validator-config.xml`\n        -h,--help                          print help and exit\n        -lr,--local-repository \u003cdir\u003e       use given local repository,\n                                           default value is `workspace/local-repository`\n        -rr,--remote-repository \u003curl\u003e      use given remote repository, this option can be used multiple times,\n                                           default remote repository is only maven central\n        -vr,--validated-repository \u003cdir\u003e   validate given repository,\n                                           default value is `workspace/validated-repository`\n        -vd,--validated-distribution \u003cdir\u003e validate given distribution, verify if current distribution is valid\n                                           default value is `workspace/validated-distribution`\n    \n    Example: \n        to run against a given validated repository directory, use: \n        $ redhat-repository-validator -vr ~/myrepository\n\n\nValidators\n----------\n\n- `DependenciesValidator` try to resolve all required dependencies (scope test, runtime and provided, or optional dependencies are skipped)\n- `ModelValidator` make sure that all pom files are \"loadable\" (maven can load it's model with strict validation level)\n- `ChecksumValidator` validate checksums for all repository artifacts (by default  readme and example settings.xml are excluded from this rule)\n- `JarSignatureValidator` validate that all jar files are signed/unsigned\n- `SuspiciousFileValidator` try to find suspicious files in repository (eg. jar without pom, checksum without source file, empty directory, etc...)\n- `BestPracticesValidator` validate rules defined for maven central repository, more details [here](https://docs.sonatype.org/display/Repository/Central+Sync+Requirements)\n- `BomDependencyNotFoundValidator` try to resolve all artifacts defined in dependency management\n- `BomUnmanagedVersionValidator` try to find artifacts which are not defined in any bom files\n- `BomAmbiguousVersionValidator` try to find artifacts which version is defined ambiguous in bom files\n- `BomVersionPropertyValidator` try to find boms which define dependencies without version property\n- `VersionAmbiguityValidator` try to find artifacts, which have multiple versions in repository\n- `VersionOverlapValidator` try to find artifacts, which overlap with others remote repositories\n- `VersionPatternValidator` try to find artifacts, which version doesn't match regex pattern (eg. -redhat-x postfix)\n- `JarSourcesValidator` try to find artifacts, which do not contain sources within them(verify if _*-sources.jar_ exists)\n- `XmlFileValidator` try to find xml files and then verify if they are valid\n- `DistributionValidator` try to validate artifacts in distribution against validated repository\n- `OsgiVersionValidator` try to find artifacts, which version doesn't match OSGI pattern (by default disabled, via filter configuration)\n- `RemoteRepositoryCompareValidator` try to ensure that every artifact in validated repository is available online and is binary same (it has to be explicitly enabled via configuration, it needs remote repository url and comparing strategy)\n- `RemoteRepositoryCollisionValidator` try to ensure that artifact is not already published in given remote repository, in default configuration it is used against maven central repository (https://repo1.maven.org/maven2/) and JBoss repository (https://repository.jboss.org/nexus/content/groups/public-jboss/)  \n\n\nReporters\n---------\n\n- `DefaultReporter` produces simple text reports, which are writen by default into log and into file `workspace/report.txt`\n- `SurefireXmlReporter` produces xml files in same format like maven surefire plugin, which can be consumed by tools like Jenkins, default output directory is `workspace/surefire-reports`\n\n\nHow to\n------\n\n#### How to change configuration ?\n\nLogging configuration can be changed in `redhat-repository-validator-logback.xml` file, default logger output is console and file log.txt, located in workspace subdirectory.\nTool configuration can be changed in `redhat-repository-validator-config.xml` file and it contains some examples already.\n\n\n#### How to add whitelist/filter ?\n\nInto each validator is injected file filter (interface `IOFileFilter`), which allows to skip selected files. \nBy conventions, filter beans have id like validator name with suffix filter, for example `checksumValidatorFilter`. \nThese filter beans can be redefined in external configuration file, see examples in xml or groovy `fooValidatorFilter `.\n\n\n#### How to add remote repository ?\n\nRemote repository can be added via command line options `-rr`, for example `$ redhat-repository-validator -rr file://foo-repository`. \nOr permanently added in configuration file, see `fooRepository` snippet, where is variant with user authentication.\n\n\n#### How to add custom validation/report ?\n\nValidators/reporters have to implement interface `com.redhat.repository.validator.Validator/Reporter`, \nfor simple example take a look at `ChecksumValidator` implementation. \nJar file with the new validator/reporter needs to be added into `lib` subdirectory, so it will automatically end up \non classpath.\nAs a last step new bean has to be configured in `redhat-repository-validator-config.xml`, see an example with `fooValidator`.        \n\n\n#### How to execute only specified validators ?\n\nBy default all validators on classpath are gathered and executed. There might be cases where running all of them is not practical.\nThe class that executes the validators is an ordinary bean. That means it can be redefined in the `redhat-repository-validator-config.xml`.\nUsing the example below will result in execution of only `JarSourcesValidator` and `JarSignatureValidator`.\n\n```xml\n...\n\u003cbean id=\"validationExecutor\" class=\"com.redhat.repository.validator.ValidationExecutor\"\u003e\n    \u003cconstructor-arg\u003e\n        \u003clist\u003e\n            \u003cref bean=\"jarSourcesValidator\"/\u003e\n            \u003cref bean=\"jarSignatureValidator\"/\u003e\n        \u003c/list\u003e\n    \u003c/constructor-arg\u003e\n\u003c/bean\u003e\n...\n```\n\n\n#### How to execute only specified reporters ?\n\nSimilarly as with validators, there might be cases where running all of reporters is not practical.\nThe class that executes the reporters is also an ordinary bean and can be redefined in the `redhat-repository-validator-config.xml`.\nUsing the example below will result in execution of only the `SurefireXmlReporter`.\n\n```xml\n...\n\u003cbean id=\"reportingExecutor\" class=\"com.redhat.repository.validator.ReportingExecutor\"\u003e\n    \u003cconstructor-arg\u003e\n        \u003clist\u003e\n            \u003cref bean=\"surefireXmlReporter\"/\u003e\n        \u003c/list\u003e\n    \u003c/constructor-arg\u003e\n\u003c/bean\u003e\n...\n```\n\n\n#### How to filter out (ignore) specified exceptions ?\n\nredhat-repository-validator allows filtering (ignoring) of the exceptions using one of the following configuration options. The\nconfiguration is XML based and needs to be added into the `redhat-repository-validator-config.xml`. Such filtered exceptions will not\nbe passed to the reporters.\n\n##### Filtering exceptions based on filename and filepath regex\nFollowing example shows filtering of the `SuspiciousFileException` for all files ending with `.xsd`:\n\n```xml\n...\n\u003cfilter:file name-regex=\".*\\.xsd\" exception=\"SuspiciousFileException\" /\u003e\n...\n```\n\nFollowing example shows filtering of the `SuspiciousFileException` with `foobar` in message for all files ending with `.xsd` and with `/foo/bar/` in relative path:\n\n```xml\n...\n\u003cfilter:file path-regex=\".*/foo/bar/.*\\.xsd\" exception=\"SuspiciousFileException\" exception-msg-regex=\".*foobar.*\"/\u003e\n...\n```\n\nPlease consult the sample `redhat-repository-validator-config.xml` for more examples of the filename based filters.\n\n##### Filtering (bom) dependency not found exceptions\n`DependencyNotFoundException`s and `BomDependencyNotFoundException`s can be filterd out based on the information about\nthe missing artifact and the validated artifact (e.g. the pom file that references the missing artifact).\nThe artifact regular expressions have format `groupId:artifactId:extension:[classifier]:version` and use the standard Java regular\nexpression syntax.\nFollowing example shows filtering of the `DependencyNotFoundExcepiton` for the specified missing artifact referenced\nfrom the artifact matching the validated-artifact regex.\n```xml\n...\n\u003cfilter:dependency-not-found missing-artifact=\"com.acme:finance:.*:jar\" validated-artifact=\"com.acme:parent:.*:pom\" /\u003e\n...\n```\nPlease consult the sample `redhat-repository-validator-config.xml` for more examples of the `(bom-)dependency-not-found` filters.\n\n\n#### How to add custom RemoteRepositoryCollisionValidator\n\nIf you want to check that artifact is not already published in some other remote repository, \nfor example RedHat techpreview repository (https://maven.repository.redhat.com/techpreview), \nyou have to add folowing configuration into `redhat-repository-validator-config.xml`.\n\n```xml\n\u003cbean id=\"redhatTechpreviewCollisionValidator\" class=\"com.redhat.repository.validator.impl.remoterepository.RemoteRepositoryCollisionValidator\"\u003e\n    \u003cconstructor-arg name=\"remoteRepositoryUrl\" value=\"https://maven.repository.redhat.com/techpreview\" /\u003e\n    \u003cconstructor-arg name=\"checksumProvider\" ref=\"nexusChecksumProvider\" /\u003e\n\u003c/bean\u003e\n\u003cbean id=\"nexusChecksumProvider\" class=\"com.redhat.repository.validator.impl.remoterepository.ChecksumProviderNexus\" /\u003e    \n```\n\n#### How to add custom BOM filter\n\nThere is no way how to reliably recognize BOMs. \nThe default implementation of `BomFilter` check if the artifact name or group contains \"bom\" string. \nIf it is not sufficient, you can provide your own implementation, or you can provide some hint in form of regular expression, which is use against GAV, see example bellow.\n\n```xml\n\u003cbean id=\"bomFilter\" class=\"com.redhat.repository.validator.impl.bom.BomFilterSimple\"\u003e\n    \u003cconstructor-arg name=\"bomGavRegex\" value=\".*:myBillOfMaterials:pom:.*\" /\u003e\n\u003c/bean\u003e\n``` \n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frelease-engineering%2Fredhat-repository-validator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frelease-engineering%2Fredhat-repository-validator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frelease-engineering%2Fredhat-repository-validator/lists"}