search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.61k stars 553 forks source link

alpine-parent is not available #3766

Closed markusmuellerusi closed 4 months ago

markusmuellerusi commented 4 months ago

Current Behavior

apline projects are required to be published on maven repo. 2.2.6 is missing. (no snapshots, real versions)

Steps to Reproduce

  1. https://oss.sonatype.org/ has no official version -> https://oss.sonatype.org/#nexus-search;gav~us.springett~alpine-parent~~~~kw,versionexpand
  2. https://mvnrepository.com/artifact/us.springett/alpine-executable-war

Expected Behavior

Provide used artefacts in official repos.

Dependency-Track Version

4.11.1

Dependency-Track Distribution

Executable WAR

Database Server

Microsoft SQL Server

Database Server Version

No response

Browser

Microsoft Edge

Checklist

nscuro commented 4 months ago

Alpine snapshots are published to the OSSRH snapshot repository, e.g. https://oss.sonatype.org/content/repositories/snapshots/us/springett/alpine-common/

This repository is configured in Dependency-Track's POM: https://github.com/DependencyTrack/dependency-track/blob/1f2cc281a14de473485f35846e96f89a738bf321/pom.xml#L142-L151

Releasing new versions of Alpine for every single change is currently not practical for us. A new version of Alpine will be released and published to Maven Central when we are certain that it's fully operational and doesn't cause any regressions in DT.

markusmuellerusi commented 4 months ago

Repositories Then please publish Alpine 2.2.6. It's missing. I do not really want to use a snapshot. But 2.2.6 has the run-in-transaction, which in used in Dependency-Track 4.11. Thanks in advance and best wishes.

nscuro commented 4 months ago

I get the frustration, in particular when your organization does not allow consumption from external snapshot repositories.

Then please publish Alpine 2.2.6. It's missing. I do not really want to use a snapshot. But 2.2.6 has the run-in-transaction, which in used in Dependency-Track 4.11.

Version 4.11.x of Dependency-Track is using Alpine 2.2.5: https://github.com/DependencyTrack/dependency-track/blob/a0c5045bb700aa1e03bbc33db286717f367c7727/pom.xml#L24-L28

Note that the master branch is used for the next minor version (hence being 4.12.0-SNAPSHOT). We create separate release branches (i.e. 4.11.x as linked above) for backporting any critical bugfixes.

Version 2.2.6 of Alpine will never be released. Due to various larger changes, among them:

2.2.6-SNAPSHOT has been changed to 3.0.0-SNAPSHOT. Dependency-Track 4.12.0-SNAPSHOT has migrated to Alpine 3.0.0-SNAPSHOT via https://github.com/DependencyTrack/dependency-track/pull/3730, which was merged yesterday.

nscuro commented 4 months ago

If you want to contribute a bugfix (not a feature), you could base your work on the 4.11.x branch and raise a PR into that. We can then take care of porting the fix to master.

Usually we do it the other way around (backporting from master to 4.11.x), but in the end it doesn't really matter.

markusmuellerusi commented 4 months ago

Thanks a lot for the clarification!

github-actions[bot] commented 3 months ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.