From 1367fa3214963de9f16e83309a7ca8fdd66d9cdb Mon Sep 17 00:00:00 2001
From: Rob Aiken <rob@aiken.im>
Date: Wed, 6 Nov 2024 17:42:03 +0000
Subject: [PATCH] Adding Adding Repository Information in pom.xml Files doc
 (#52775)

Co-authored-by: Felicity Chapman <felicitymay@github.com>
Co-authored-by: Siara <108543037+SiaraMist@users.noreply.github.com>
---
 .../index.md                                  |  1 +
 .../optimizing-java-packages-dependabot.md    | 54 +++++++++++++++++++
 .../dependabot/supported-package-managers.md  |  4 ++
 3 files changed, 59 insertions(+)
 create mode 100644 content/code-security/dependabot/ecosystems-supported-by-dependabot/optimizing-java-packages-dependabot.md

diff --git a/content/code-security/dependabot/ecosystems-supported-by-dependabot/index.md b/content/code-security/dependabot/ecosystems-supported-by-dependabot/index.md
index fa4bb2803ee2..31e4a7abaf60 100644
--- a/content/code-security/dependabot/ecosystems-supported-by-dependabot/index.md
+++ b/content/code-security/dependabot/ecosystems-supported-by-dependabot/index.md
@@ -15,4 +15,5 @@ topics:
 shortTitle: Dependabot ecosystems
 children:
   - /supported-ecosystems-and-repositories
+  - /optimizing-java-packages-dependabot
 ---
diff --git a/content/code-security/dependabot/ecosystems-supported-by-dependabot/optimizing-java-packages-dependabot.md b/content/code-security/dependabot/ecosystems-supported-by-dependabot/optimizing-java-packages-dependabot.md
new file mode 100644
index 000000000000..be4d943040e6
--- /dev/null
+++ b/content/code-security/dependabot/ecosystems-supported-by-dependabot/optimizing-java-packages-dependabot.md
@@ -0,0 +1,54 @@
+---
+title: Optimizing Java packages for Dependabot updates
+intro: 'By including metadata in your `pom.xml` file, you can enhance the information available to users in {% data variables.product.prodname_dependabot%} pull requests to update your Java packages.'
+shortTitle: Optimize Java packages # Max 31 characters
+allowTitleToDifferFromFilename: true
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '*'
+type: how_to
+topics:
+  - Dependabot
+  - Dependencies
+  - Repositories
+---
+
+{% data variables.product.prodname_dependabot %} uses the information defined in `pom.xml` files to create pull requests to update Java dependencies for the Gradle and Maven ecosystems. When you include the project metadata that {% data variables.product.prodname_dependabot %} expects, pull requests contain links to the release notes for the suggested package update and a link where users can report any issues. This information means that users can update their packages with confidence after reviewing all the release information.
+
+## Including the metadata {% data variables.product.prodname_dependabot %} needs in pom.xml files
+
+{% data variables.product.prodname_dependabot %} uses the URLs for the project, the source code management system, and the issue management system to build the summary for update pull requests.
+
+* `url` the home page for the project, see [More Project Information](https://maven.apache.org/pom.html#More_Project_Information) in the POM reference
+* `scm` the URL of the source code management system used by the project, see [SCM](https://maven.apache.org/pom.html#scm) in the POM Reference
+* `issueManagement` the URL of the issue management system used by the project, see [Issue Management](https://maven.apache.org/pom.html#issue-management) in the POM Reference
+
+### Example for a project hosted on {% data variables.product.github %}
+
+```xml
+<project>
+  <url>https://github.com/OWNER/REPOSITORY</url>
+  <scm>
+    <url>https://github.com/OWNER/REPOSITORY</url>
+  </scm>
+  <issueManagement>
+    <url>https://github.com/OWNER/REPOSITORY/issues</url>
+  </issueManagement>
+</project>
+```
+
+Replace `OWNER` and `REPOSITORY` with the detailed for your project.
+
+## Impact of omitting project metadata from pom.xml files
+
+If you forget to include the URLs that {% data variables.product.prodname_dependabot %} checks for, then pull requests to update Java packages are still created. However, the information available to users in the pull request summary will be limited.
+
+* **Project repository or Source code management URL undefined:** no links to release notes in {% data variables.product.prodname_dependabot %} pull requests
+* **Issue management URL undefined:** no link to the issues page for reporting problems.
+
+Adding this information helps {% data variables.product.prodname_dependabot %} provide better, more accurate updates for your project, complete with helpful links to release notes and issue trackers.
+
+## Further reading
+
+* [Maven SCM Plugin](https://maven.apache.org/scm/maven-scm-plugin/)
diff --git a/data/reusables/dependabot/supported-package-managers.md b/data/reusables/dependabot/supported-package-managers.md
index 347f682cb5d8..ce602e850e91 100644
--- a/data/reusables/dependabot/supported-package-managers.md
+++ b/data/reusables/dependabot/supported-package-managers.md
@@ -93,6 +93,8 @@ For more information about using {% data variables.product.prodname_dependabot_v
 * `gradle/libs.versions.toml` (for projects using a standard Gradle version catalog){% endif %}
 * Files included via the `apply` declaration that have `dependencies` in the filename. Note that `apply` does not support `apply to`, recursion, or advanced syntaxes (for example, Kotlin's `apply` with `mapOf`, filenames defined by property).
 
+{% data variables.product.prodname_dependabot %} uses information from the `pom.xml` file of dependencies to add links to release information in update pull requests. If the information is omitted from the `pom.xml` file, then it cannot be included in {% data variables.product.prodname_dependabot %} pull requests, see "[AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/optimizing-java-packages-dependabot)".
+
 {% ifversion dependabot-security-updates-gradle-support %}
 For {% data variables.product.prodname_dependabot_security_updates %}, Gradle support is limited to manual uploads of the dependency graph data using the {% data variables.dependency-submission-api.name %}. For more information about the {% data variables.dependency-submission-api.name %}, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api)."
 
@@ -110,6 +112,8 @@ For {% data variables.product.prodname_dependabot_security_updates %}, Gradle su
 
 {% data variables.product.prodname_dependabot %} doesn't run Maven but supports updates to `pom.xml` files.
 
+{% data variables.product.prodname_dependabot %} uses information from the `pom.xml` file of dependencies to add links to release information in update pull requests. If the information is omitted from the `pom.xml` file, then it cannot be included in {% data variables.product.prodname_dependabot %} pull requests, see "[AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/optimizing-java-packages-dependabot)".
+
 #### NuGet CLI
 
 {% data variables.product.prodname_dependabot %} doesn't run the NuGet CLI but does support most features up until version {% ifversion dependabot-updates-v680-nuget-support %}6.8.0{% elsif ghes = 3.12 %}6.7.0{% else %}4.8{% endif %}.