Skip to content

Commit 1367fa3

Browse files
robaikenfelicitymaySiaraMist
authoredNov 6, 2024
Adding Adding Repository Information in pom.xml Files doc (#52775)
Co-authored-by: Felicity Chapman <felicitymay@github.com> Co-authored-by: Siara <108543037+SiaraMist@users.noreply.github.com>
1 parent effd343 commit 1367fa3

File tree

3 files changed

+59
-0
lines changed

3 files changed

+59
-0
lines changed
 

‎content/code-security/dependabot/ecosystems-supported-by-dependabot/index.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,4 +15,5 @@ topics:
1515
shortTitle: Dependabot ecosystems
1616
children:
1717
- /supported-ecosystems-and-repositories
18+
- /optimizing-java-packages-dependabot
1819
---
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,54 @@
1+
---
2+
title: Optimizing Java packages for Dependabot updates
3+
intro: 'By including metadata in your `pom.xml` file, you can enhance the information available to users in {% data variables.product.prodname_dependabot%} pull requests to update your Java packages.'
4+
shortTitle: Optimize Java packages # Max 31 characters
5+
allowTitleToDifferFromFilename: true
6+
versions:
7+
fpt: '*'
8+
ghec: '*'
9+
ghes: '*'
10+
type: how_to
11+
topics:
12+
- Dependabot
13+
- Dependencies
14+
- Repositories
15+
---
16+
17+
{% data variables.product.prodname_dependabot %} uses the information defined in `pom.xml` files to create pull requests to update Java dependencies for the Gradle and Maven ecosystems. When you include the project metadata that {% data variables.product.prodname_dependabot %} expects, pull requests contain links to the release notes for the suggested package update and a link where users can report any issues. This information means that users can update their packages with confidence after reviewing all the release information.
18+
19+
## Including the metadata {% data variables.product.prodname_dependabot %} needs in pom.xml files
20+
21+
{% data variables.product.prodname_dependabot %} uses the URLs for the project, the source code management system, and the issue management system to build the summary for update pull requests.
22+
23+
* `url` the home page for the project, see [More Project Information](https://maven.apache.org/pom.html#More_Project_Information) in the POM reference
24+
* `scm` the URL of the source code management system used by the project, see [SCM](https://maven.apache.org/pom.html#scm) in the POM Reference
25+
* `issueManagement` the URL of the issue management system used by the project, see [Issue Management](https://maven.apache.org/pom.html#issue-management) in the POM Reference
26+
27+
### Example for a project hosted on {% data variables.product.github %}
28+
29+
```xml
30+
<project>
31+
<url>https://github.com/OWNER/REPOSITORY</url>
32+
<scm>
33+
<url>https://github.com/OWNER/REPOSITORY</url>
34+
</scm>
35+
<issueManagement>
36+
<url>https://github.com/OWNER/REPOSITORY/issues</url>
37+
</issueManagement>
38+
</project>
39+
```
40+
41+
Replace `OWNER` and `REPOSITORY` with the detailed for your project.
42+
43+
## Impact of omitting project metadata from pom.xml files
44+
45+
If you forget to include the URLs that {% data variables.product.prodname_dependabot %} checks for, then pull requests to update Java packages are still created. However, the information available to users in the pull request summary will be limited.
46+
47+
* **Project repository or Source code management URL undefined:** no links to release notes in {% data variables.product.prodname_dependabot %} pull requests
48+
* **Issue management URL undefined:** no link to the issues page for reporting problems.
49+
50+
Adding this information helps {% data variables.product.prodname_dependabot %} provide better, more accurate updates for your project, complete with helpful links to release notes and issue trackers.
51+
52+
## Further reading
53+
54+
* [Maven SCM Plugin](https://maven.apache.org/scm/maven-scm-plugin/)

‎data/reusables/dependabot/supported-package-managers.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,6 +93,8 @@ For more information about using {% data variables.product.prodname_dependabot_v
9393
* `gradle/libs.versions.toml` (for projects using a standard Gradle version catalog){% endif %}
9494
* Files included via the `apply` declaration that have `dependencies` in the filename. Note that `apply` does not support `apply to`, recursion, or advanced syntaxes (for example, Kotlin's `apply` with `mapOf`, filenames defined by property).
9595

96+
{% data variables.product.prodname_dependabot %} uses information from the `pom.xml` file of dependencies to add links to release information in update pull requests. If the information is omitted from the `pom.xml` file, then it cannot be included in {% data variables.product.prodname_dependabot %} pull requests, see "[AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/optimizing-java-packages-dependabot)".
97+
9698
{% ifversion dependabot-security-updates-gradle-support %}
9799
For {% data variables.product.prodname_dependabot_security_updates %}, Gradle support is limited to manual uploads of the dependency graph data using the {% data variables.dependency-submission-api.name %}. For more information about the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."
98100

@@ -110,6 +112,8 @@ For {% data variables.product.prodname_dependabot_security_updates %}, Gradle su
110112

111113
{% data variables.product.prodname_dependabot %} doesn't run Maven but supports updates to `pom.xml` files.
112114

115+
{% data variables.product.prodname_dependabot %} uses information from the `pom.xml` file of dependencies to add links to release information in update pull requests. If the information is omitted from the `pom.xml` file, then it cannot be included in {% data variables.product.prodname_dependabot %} pull requests, see "[AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/optimizing-java-packages-dependabot)".
116+
113117
#### NuGet CLI
114118

115119
{% data variables.product.prodname_dependabot %} doesn't run the NuGet CLI but does support most features up until version {% ifversion dependabot-updates-v680-nuget-support %}6.8.0{% elsif ghes = 3.12 %}6.7.0{% else %}4.8{% endif %}.

0 commit comments

Comments
 (0)