Integrates dependency updates report from versions-maven-plugin into SonarQube v7.3 or higher.
The versions-maven-plugin has the goal dependency-updates-report which creates an overview about available updates for the dependencies of a Maven project. There can be incremental, minor or major version updates.
This SonarQube plugin does not perform analysis, rather, it reads existing dependency-updates-reports. Please refer to versions-maven-plugin for relevant documentation how to generate the reports.
The plugin keeps track of the following statistics:
Metric | Description |
---|---|
Dependencies to patch | The number of dependencies with patches available (incremental updates). |
Dependencies to patch (Ratio) | The ratio of dependencies to patch. |
Dependencies to upgrade | The number of dependencies with upgrades available (minor and/or major updates). |
Dependencies to upgrade (Ratio) | The ratio of dependencies to upgrade. |
Patch maintenance | The rating of the patch maintenance (see below) |
Patches missed | The total number of patches missed. |
Upgrade maintenance | The rating of the upgrade maintenance (see below) |
Upgrades missed | The total number of upgrades missed. |
The number of dependencies of patches/upgrades cannot be used for rating as this should also depend on the ratio to the total number of dependencies and the total number of patches/upgrades per dependency.
This metric is not final. For now the rating is based on the regarding ratio.
Ratio | Rating |
---|---|
< 5% | ![]() |
< 10% | ![]() |
< 20% | ![]() |
< 50% | ![]() |
>=50% | ![]() |
Copy the plugin (jar file) to $SONAR_INSTALL_DIR/extensions/plugins and restart SonarQube.
The versions-maven-plugin will output a file named 'dependency-updates-report.xml' when asked to output XML. The mathan-dependency-updates-sonar-plugin reads an existing dependency updates XML report.
There is additional configuration available which enables to override the default mapping from available updates to SonarQube severity. It is also possible to include or exclude certain dependencies for the check. Reducing or raising the severity for dependencies can be done too.
The filters defined are using a special artifact pattern syntax already known from Maven extended to allow a comma separated list of such patterns.
The pattern is defined like this: [groupId]:[artifactId]:[type]:[version]:[scope]:[classifier]
.
Each pattern segment is optional and supports full and partial * wildcards. An empty pattern segment is treated as an implicit wildcard. For example, org.apache.*
would match all artifacts
whose group id started with org.apache.
, and :::*-SNAPSHOT
would match all snapshot artifacts.
Property | Description | Default |
---|---|---|
sonar.dependencyUpdates.updateIncremental | Overrides the severity used for dependencies with incremental updates available. (INFO, MINOR, MAJOR, CRITICAL, BLOCKER) | Severity.MINOR |
sonar.dependencyUpdates.updateMinor | Overrides the severity used for dependencies with minor updates available. (INFO, MINOR, MAJOR, CRITICAL, BLOCKER) | Severity.MAJOR |
sonar.dependencyUpdates.updateMajor | Overrides the severity used for dependencies with major updates available. (INFO, MINOR, MAJOR, CRITICAL, BLOCKER) | Severity.CRITICAL |
sonar.dependencyUpdates.inclusions | Filter (see Artifact pattern syntax) to include certain dependencies only. | ::::: (include all) |
sonar.dependencyUpdates.exclusions | Filter (see Artifact pattern syntax) to exclude certain dependencies. | (none) |
sonar.dependencyUpdates.override.info | Filter (see Artifact pattern syntax) to override severtiy (if updates are available for dependencies matching) to INFO | (none) |
sonar.dependencyUpdates.override.minor | Filter (see Artifact pattern syntax) to override severtiy (if updates are available for dependencies matching) to MINOR | (none) |
sonar.dependencyUpdates.override.major | Filter (see Artifact pattern syntax) to override severtiy (if updates are available for dependencies matching) to MAJOR | (none) |
sonar.dependencyUpdates.override.critical | Filter (see Artifact pattern syntax) to override severtiy (if updates are available for dependencies matching) to CRITICAL | (none) |
sonar.dependencyUpdates.override.blocker | Filter (see Artifact pattern syntax) to override severtiy (if updates are available for dependencies matching) to BLOCKER | (none) |