[BUG] com.google.code.findbugs/[email protected] version problem

[rubensa]

Describe the bug I have:

      ...
      <dependency>
        <!--
          Standard annotations (such as @NonNull) that can be applied to Java programs to assist tools that
        detect software defects.
          https://jcp.org/en/jsr/detail?id=305
        -->
        <groupId>com.google.code.findbugs</groupId>
        <artifactId>jsr305</artifactId>
        <version>3.0.2</version>
      </dependency>
      ...

as a dependency in my pom.xml.

I'm getting following problem message from Red Hat Dependency Analytics Plugin:

com.google.code.findbugs/[email protected]

osv-nvd(osv-nvd) vulnerability info:
Known security vulnerabilities: 0
Recommendation: com.google.code.findbugs/[email protected]

VSCode:

• OS: Ubuntu 22.04
• VSCode version: 1.88.1
• Dependency Analytics Version: v0.9.4

Additional context I tried to use com.google.code.findbugs/[email protected] version but looks it is only available in Red Hat Early Access repository (but not in Maven Central).

[ruromero]

Hi @rubensa It's also available in the GA repository

You have to add the GA Red Hat Repository to your Maven repositories in the settings.xml file, you can find the instructions here

[rubensa]

@ruromero Thanks for the info

But the thing is, why the extension is proposing a fix for a 0 vulnerabilities package and the proposed package is not from maven central but from other repository (whereas the original one is in maven central)? And, where is the source code and changeset for the proposed Red Hat package version to check if that change makes sense or not?

[ruromero]

Hi @rubensa It's a recommendation of a Red Hat alternative that will bring you better support and more frequent patches. You can expect vulnerabilities to be reported earlier in RH supported packages and be notified about vulnerable packages from the Red Hat security data feeds. Besides, packages pushed to the RH repository have been certified and signed by RH whereas Maven Central can host any package from any developer. The source code is also available in the RH repository but we're not providing the specific changeset that justifies in any way any functional benefit of using it.

That's why it is underlined in blue, meaning that it's just a suggestion.

[rubensa]

@ruromero Thank you for the info.

Could you provide me the URL for the RH repository with the source code?

[ruromero]

Definitely! In the same Maven repository you can find all the sources. This is the source code of the artifact mentioned in the issue com.google.findbugs:jsr305:3.0.2.redhat-00018

[rubensa]

Thanks @ruromero but was meaning the source code repository (GitHub or something?) :sweat:

[ruromero]

For this specific package I honestly don't know. The pom says the source control management is at http://findbugs.googlecode.com/svn/trunk/ but this link is not working.

[rubensa]

I think that is cause the code in googlecode repository is now archived: https://code.google.com/archive/p/findbugs/source/default/source

It was, at sometime, moved to GitHub: https://github.com/findbugsproject/findbugs

But currently, the development is done in new GitHub project: https://github.com/spotbugs/spotbugs

The thing here is that, all those source code repositories, are for the original project code, not the RedHat "modified" code...

[ruromero]

@rubensa I'm afraid I can't give you a proper answer. Red Hat modified code is sometimes managed in internal repositories although the packages published include the source.

Why do you think this is a relevant information in this extension?

[rubensa]

@ruromero I think it is relevant as the extension is suggesting to replace the Google FindBugs dependency to a "custom" RedHat implementation dependency that is not available in default Maven (Central) repository, so it implies adding Red Hat Early Access repository and without a clear reason for that suggestion, as there seems to be no vulnerabilities in Google FindBugs implementation (remember that the message says Known security vulnerabilities: 0).

[ruromero]

To be precise, we're suggesting to add the Red Hat GA repository. The reasons were stated few comments above, let me know if they're not clear. Some companies/teams usually have a set of whitelisted/trusted sources for repositories that might not be limited only to Maven Central. If I am understanding correctly, your concern was the lack of a direct reference to the repository source. Is that right? As I mentioned, I don't think we can implement adding this information at the moment.

What the tool is trying to achieve with the recommendations is to get more users to use the Red Hat supported software but maybe if you don't want to have Red Hat Recommendations you might find useful an option to disable them?

Thanks for your interest.

[rubensa]

Thanks @ruromero, an option to disable this kind of recommendations would be fine to us.

[sabalza]

https://www.googleadservices.com/pagead/aclk?sa=L&ai=DChcSEwjS-52IzaqIAxXhGa0GHQuRNiQYABAAGgJwdg&co=1&ase=2&gclid=Cj0KCQjwiuC2BhDSARIsALOVfBIWnCVSpP5KEZuFlZ1CEtoB8l8cqLIBT6iumGxOXMAxaBeu6J2uQb8aAg6GEALw_wcB&ohost=www.google.com&cid=CAESV-D2G5LVlC6E6DyjgE11iKYG2Tm6qREvSLv9eBbGqDCEkK6SsaNgUO0Dqstf1bfZZOOH4g5yhmNskPtNi4Nh4zzlS0EUws3RdIIDhhDuzmzQ5kbfXucxNg&sig=AOD64_1oEDUSqxY_bCwDG5lKefZM6vTVNQ&q&nis=4&adurl&ved=2ahUKEwjn7pWIzaqIAxUOK0QIHaGGJz4Q0Qx6BAgUEAE