https://github.com/leplusorg/docker-maven-check-versions
Docker container to run the Maven Versions plugin.
https://github.com/leplusorg/docker-maven-check-versions
cli dependency-analysis docker docker-container docker-image dockerfile maven maven-versions-plugin
Last synced: 3 months ago
JSON representation
Docker container to run the Maven Versions plugin.
- Host: GitHub
- URL: https://github.com/leplusorg/docker-maven-check-versions
- Owner: leplusorg
- License: apache-2.0
- Created: 2022-11-27T03:20:08.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2025-04-10T11:32:26.000Z (3 months ago)
- Last Synced: 2025-04-10T12:53:01.540Z (3 months ago)
- Topics: cli, dependency-analysis, docker, docker-container, docker-image, dockerfile, maven, maven-versions-plugin
- Language: Shell
- Homepage: https://hub.docker.com/r/leplusorg/maven-check-versions
- Size: 493 KB
- Stars: 2
- Watchers: 2
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: SECURITY.md
Awesome Lists containing this project
README
# Maven Check Versions
Docker container to run the Maven Versions plugin.
[](https://img.shields.io/badge/GitHub-Dockerfile-blue)](maven-check-versions/Dockerfile)
[](https://github.com/leplusorg/docker-maven-check-versions/actions?query=workflow:"Docker")
[](https://hub.docker.com/r/leplusorg/maven-check-versions)
[](https://hub.docker.com/r/leplusorg/maven-check-versions)
[](https://hub.docker.com/r/leplusorg/maven-check-versions)
[](https://bestpractices.coreinfrastructure.org/projects/10080)
[](https://securityscorecards.dev/viewer/?uri=github.com/leplusorg/docker-maven-check-versions)
## Purpose
This containers is meant to be used in CI/CD pipeline to detect when newer versions of Maven dependencies or plugins are avaible.
## Requirements
The image comes with Maven installed so it only needs a pom.xml to analyze. However if you want to control the version of Maven to be used instead, just make sure that there is a Maven wrapper script (mvnw) pointing to that version next to the pom.xml. For more information on how to install the maven wrapper in your project, see the [documentation](https://maven.apache.org/wrapper/).
The script uses the Versions plugin (more details [here](https://www.mojohaus.org/versions-maven-plugin/)). By default Maven will use the latest version of the plugin that it supports but you can set the desired version inside your pom.xml:
```xml
...
2.14.0
...
...
...
org.codehaus.mojo
versions-maven-plugin
${maven.versions.plugin}
...
```
## GitHub
To use this container in a GitHub worklow, add the following action file `.github/workflows/maven-check-versions.yml` to your project:
```yaml
---
name: Maven Check Versions
on:
schedule:
- cron: "0 0 * * 0"
workflow_dispatch:
permissions: {}
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Check the versions
uses: docker://leplusorg/maven-check-versions:3.9.8@sha256:83d9758a4a0626f58376924c602919f14a782aa49e5e2bfb86de1f797de16cdd
```
This way the action can be triggered manually and otherwise it runs
automatically once per week.
## GitLab
To use this container in a GitLab step, add the following step to the stage of your choice:
```yaml
maven check versions:
image:
name: leplusorg/maven-check-versions:3.9.8@sha256:83d9758a4a0626f58376924c602919f14a782aa49e5e2bfb86de1f797de16cdd
script:
- "/opt/maven-check-versions.sh"
```
## Ignoring versions
You can define which versions should be ignored using the
`IGNORED_VERSIONS` OS environment variable which will be passed to the
maven versions plugin as `maven.version.ignore` (see
[here](https://www.mojohaus.org/versions/versions-maven-plugin/version-rules.html#Using_the_maven.version.ignore_property)
for details). For example, you can set `IGNORED_VERSIONS` to
`(?i).+-(alpha|beta).+,(?i).+-m\\d+,(?i).+-rc\\d+` to ignore alpha,
beta, mark or release candidate versions.
## Manually using Docker
**Mac/Linux**
```bash
docker run --rm -t --user="$(id -u):$(id -g)" -v "$(pwd):/opt/project" leplusorg/maven-check-versions
```
**Windows**
In `cmd`:
```batch
docker run --rm -t -v "%cd%:/opt/project" leplusorg/maven-check-versions
```
In PowerShell:
```pwsh
docker run --rm -t -v "${PWD}:/opt/project" leplusorg/maven-check-versions
```
## Software Bill of Materials (SBOM)
To get the SBOM for the latest image (in SPDX JSON format), use the
following command:
```bash
docker buildx imagetools inspect leplusorg/maven-check-versions --format '{{ json (index .SBOM "linux/amd64").SPDX }}'
```
Replace `linux/amd64` by the desired platform (`linux/amd64`, `linux/arm64` etc.).
### Sigstore
[Sigstore](https://docs.sigstore.dev) is trying to improve supply
chain security by allowing you to verify the origin of an
artifcat. You can verify that the jar that you use was actually
produced by this repository. This means that if you verify the
signature of the ristretto jar, you can trust the integrity of the
whole supply chain from code source, to CI/CD build, to distribution
on Maven Central or whever you got the jar from.
You can use the following command to verify the latest image using its
sigstore signature attestation:
```bash
cosign verify leplusorg/maven-check-versions --certificate-identity-regexp 'https://github\.com/leplusorg/docker-maven-check-versions/\.github/workflows/.+' --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'
```
The output should look something like this:
```text
Verification for index.docker.io/leplusorg/xml:main --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates
[{"critical":...
```
For instructions on how to install `cosign`, please read this [documentation](https://docs.sigstore.dev/cosign/system_config/installation/).