Software Supply Chain Report of INRIA/spoon - v11.1.1-beta-9

report.md

New report, with the updates from chains-project/dirty-waters#39

Software Supply Chain Report of INRIA/spoon - v11.1.1-beta-9

How to read the results 📖

Dirty-waters has analyzed your project dependencies and found different categories for each of them:

• ⚠️⚠️⚠️ : high severity

• ⚠️⚠️: medium severity

• ⚠️: low severity

Total packages in the supply chain: 352

❗ Packages with no Source Code URL(⚠️⚠️⚠️) 4

⛔ Packages with Github URLs that are 404(⚠️⚠️⚠️) 78

🔧 Packages with accessible source code repos but inaccessible GitHub tags(⚠️⚠️⚠️) 100

🌵 Packages that are forks(⚠️⚠️) 2

Fine grained information

🐬 For further information about software supply chain smells in your project, take a look at the following tables.

Source code links that could not be found(82)

index	package_name	github_url	github_exists
1	org.sonatype.sisu:sisu-guice@noaop:2.1.7	No_repo_info_found
2	com.google.inject:guice@no_aop:4.2.2	No_repo_info_found
3	org.sonatype.plexus:[email protected]	No_repo_info_found
4	org.sonatype.plexus:[email protected]	No_repo_info_found
5	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-gfm-strikethrough	False
6	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-yaml-front-matter	False
7	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-format	False
8	org.sonatype.aether:[email protected]	https://github.com/sonatype/sonatype-aether.git/aether-util	False
9	com.google.guava:[email protected]	https://github.com/google/guava/failureaccess	False
10	org.sonatype.aether:[email protected]	https://github.com/sonatype/sonatype-aether.git/aether-impl	False
11	org.semver:[email protected]	https://github.com/jeluard/semantic-versioning/api	False
12	net.bytebuddy:[email protected]	https://github.com/raphw/byte-buddy.git/byte-buddy	False
13	org.eclipse.sisu:[email protected]	https://github.com/eclipse/sisu.plexus/org.eclipse.sisu.plexus	False
14	org.slf4j:[email protected]	https://github.com/qos-ch/slf4j/slf4j-reload4j	False
15	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-html	False
16	org.slf4j:[email protected]	https://github.com/qos-ch/slf4j/slf4j-parent/slf4j-api	False
17	net.bytebuddy:[email protected]	https://github.com/raphw/byte-buddy.git/byte-buddy	False
18	org.codehaus.plexus:[email protected]	https://github.com/codehaus-plexus/plexus-containers/plexus-component-annotations	False
19	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-misc	False
20	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-escaped-character	False
21	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-sequence	False
22	org.sonatype.aether:[email protected]	https://github.com/sonatype/sonatype-aether.git/aether-api	False
23	se.kth.castor:[email protected]	https://github.com/castor-software/depclean/depclean-maven-plugin	False
24	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-ast	False
25	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-server	False
26	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-security	False
27	com.google.errorprone:[email protected]	https://github.com/google/error-prone/error_prone_annotations	False
28	org.jdom:[email protected]	https://github.com//hunterhacker/jdom	False
29	org.codehaus.plexus:[email protected]	https://github.com/codehaus-plexus/plexus-containers/plexus-component-annotations	False
30	se.kth.castor:[email protected]	https://github.com/castor-software/depclean/depclean-core	False
31	org.slf4j:[email protected]	https://github.com/qos-ch/slf4j/slf4j-api	False
32	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-http	False
33	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-wikilink	False
34	org.iq80.snappy:[email protected]	https://github.com/dain/snapy	False
35	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-util-ajax	False
36	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-io	False
37	org.slf4j:[email protected]	https://github.com/qos-ch/slf4j/slf4j-parent/slf4j-api	False
38	org.assertj:[email protected]	https://github.com/assertj/assertj/assertj-parent/assertj-core	False
39	ch.qos.logback:[email protected]	https://github.com/qos-ch/logback/logback-core	False
40	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util	False
41	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-data	False
42	com.google.guava:[email protected]	https://github.com/google/guava/failureaccess	False
43	org.codehaus.plexus:[email protected]	https://github.com/codehaus-plexus/plexus-containers/plexus-component-annotations	False
44	org.slf4j:[email protected]	https://github.com/qos-ch/slf4j/slf4j-api	False
45	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-util	False
46	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-tables	False
47	org.eclipse.sisu:[email protected]	https://github.com/eclipse/sisu.inject/org.eclipse.sisu.plexus	False
48	com.google.guava:[email protected]	https://github.com/google/guava/guava	False
49	com.google.errorprone:[email protected]	https://github.com/google/error-prone/error_prone_annotations	False
50	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-dependency	False
51	com.google.errorprone:[email protected]	https://github.com/google/error-prone/error_prone_annotations	False
52	com.google.code.gson:[email protected]	https://github.com/google/gson/gson	False
53	javax.xml.bind:[email protected]	https://github.com/javaee/jaxb-spec.git/jaxb-api	False
54	org.slf4j:[email protected]	https://github.com/qos-ch/slf4j/slf4j-api	False
55	org.codehaus.plexus:[email protected]	https://github.com/codehaus-plexus/plexus-interactivity/plexus-interactivity-api	False
56	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-collection	False
57	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark	False
58	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-options	False
59	org.eclipse.sisu:[email protected]	https://github.com/eclipse/sisu.inject/org.eclipse.sisu.inject	False
60	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-builder	False
61	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-visitor	False
62	org.sonatype.aether:[email protected]	https://github.com/sonatype/sonatype-aether.git/aether-spi	False
63	org.objenesis:[email protected]	https://github.com/easymock/objenesis/objenesis	False
64	com.google.guava:[email protected]	https://github.com/google/guava/guava	False
65	org.sonatype.sisu:[email protected]	https://github.com/sonatype/sisu.git/sisu-inject/guice-bean/guice-plexus/sisu-inject-plexus	False
66	org.slf4j:[email protected]	https://github.com/qos-ch/slf4j/jcl-over-slf4j	False
67	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-xml	False
68	net.bytebuddy:[email protected]	https://github.com/raphw/byte-buddy.git/byte-buddy	False
69	org.sonatype.sisu:[email protected]	https://github.com/sonatype/sisu.git/sisu-inject/guice-bean/sisu-inject-bean	False
70	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-abbreviation	False
71	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-webapp	False
72	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-definition	False
73	com.google.guava:[email protected]	https://github.com/google/guava/guava	False
74	org.apache.maven.plugin-testing:[email protected]	https://github.com/apache/maven-plugin-testing/maven-plugin-testing-tools	False
75	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-autolink	False
76	net.bytebuddy:[email protected]	https://github.com/raphw/byte-buddy.git/byte-buddy-agent	False
77	com.google.guava:[email protected]	https://github.com/google/guava/listenablefuture	False
78	ch.qos.logback:[email protected]	https://github.com/qos-ch/logback/logback-classic	False
79	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-servlet	False
80	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-typographic	False
81	org.jgrapht:[email protected]	https://github.com/jgrapht/jgrapht.git/jgrapht-core	False
82	org.eclipse.sisu:[email protected]	https://github.com/eclipse/sisu.inject/org.eclipse.sisu.inject	False

List of packages with available source code repos but with inaccessible tags(100)

package_name	release_tag_exists	tag_version	github_url	tag_related_info	status_code_for_release_tag
commons-codec:[email protected]	False	1.17.1	https://github.com/apache/commons-codec	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo	404
org.checkerframework:[email protected]	False	3.12.0	https://github.com/typetools/checker-framework	The given tag was not found in the repo	404
com.diffplug.durian:[email protected]	False	4.2.2	https://github.com/diffplug/durian-swt	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo	404
org.apache.maven.scm:[email protected]	False	2.1.0	https://github.com/apache/maven-scm	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo	404
org.eclipse.jdt:[email protected]	False	3.38.0	https://github.com/eclipse-jdt/eclipse.jdt.core	The given tag was not found in the repo	404
org.apache.maven.scm:[email protected]	False	2.1.0	https://github.com/apache/maven-scm	The given tag was not found in the repo	404
org.apache.maven.resolver:[email protected]	False	1.9.18	https://github.com/apache/maven-resolver	The given tag was not found in the repo	404
org.apache.maven.resolver:[email protected]	False	1.4.1	https://github.com/apache/maven-resolver	The given tag was not found in the repo	404
org.codehaus.plexus:[email protected]	False	2.2.0	https://github.com/codehaus-plexus/plexus-containers	The given tag was not found in the repo	404
org.apache.maven:[email protected]	False	3.8.5	https://github.com/apache/maven	The given tag was not found in the repo	404
commons-codec:[email protected]	False	1.17.0	https://github.com/apache/commons-codec	The given tag was not found in the repo	404
org.apache.maven.wagon:[email protected]	False	3.5.3	https://github.com/apache/maven-wagon	The given tag was not found in the repo	404
org.apache.maven.scm:[email protected]	False	2.1.0	https://github.com/apache/maven-scm	The given tag was not found in the repo	404
org.eclipse.jdt:[email protected]	False	3.38.0	https://github.com/eclipse-jdt/eclipse.jdt.core	The given tag was not found in the repo	404
org.eclipse.platform:[email protected]	False	3.18.300	https://github.com/eclipse-equinox/equinox	The given tag was not found in the repo	404
org.codehaus.plexus:[email protected]	False	1.3.0	https://github.com/codehaus-plexus/plexus-languages	The given tag was not found in the repo	404
org.apache.maven.surefire:[email protected]	False	3.5.1	https://github.com/apache/maven-surefire	The given tag was not found in the repo	404
org.apache.maven.resolver:[email protected]	False	1.6.3	https://github.com/apache/maven-resolver	The given tag was not found in the repo	404
commons-codec:[email protected]	False	1.16.0	https://github.com/apache/commons-codec	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0-M12	https://github.com/apache/maven-doxia	The given tag was not found in the repo	404
org.apache.maven:[email protected]	False	3.8.5	https://github.com/apache/maven	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo	404
org.codehaus.plexus:[email protected]	False	2.15.0	https://github.com/codehaus-plexus/plexus-compiler	The given tag was not found in the repo	404
org.apache.maven:[email protected]	False	3.8.5	https://github.com/apache/maven	The given tag was not found in the repo	404
org.codehaus.plexus:[email protected]	False	2.15.0	https://github.com/codehaus-plexus/plexus-compiler	The given tag was not found in the repo	404
org.apache.maven:[email protected]	False	3.8.5	https://github.com/apache/maven	The given tag was not found in the repo	404
org.apache.httpcomponents:[email protected]	False	4.4.16	https://github.com/apache/httpcomponents-core	The given tag was not found in the repo	404
com.diffplug.durian:[email protected]	False	1.2.0	https://github.com/diffplug/durian	The given tag was not found in the repo	404
org.apache.sshd:[email protected]	False	2.7.0	https://github.com/apache/mina-sshd	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0-M12	https://github.com/apache/maven-doxia	The given tag was not found in the repo	404
org.apache.maven.resolver:[email protected]	False	1.9.18	https://github.com/apache/maven-resolver	The given tag was not found in the repo	404
org.apache.maven:[email protected]	False	3.8.5	https://github.com/apache/maven	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0-M12	https://github.com/apache/maven-doxia	The given tag was not found in the repo	404
com.mysema.querydsl:[email protected]	False	3.7.4	https://github.com/querydsl/querydsl	The given tag was not found in the repo	404
com.diffplug.spotless:[email protected]	False	2.45.0	https://github.com/diffplug/spotless	The given tag was not found in the repo	404
org.apache.maven.plugins:[email protected]	False	3.1.1	https://github.com/apache/maven-release	The given tag was not found in the repo	404
com.diffplug.spotless:[email protected]	False	2.45.0	https://github.com/diffplug/spotless	The given tag was not found in the repo	404
org.apache.maven:[email protected]	False	3.8.5	https://github.com/apache/maven	The given tag was not found in the repo	404
org.apache.sshd:[email protected]	False	2.7.0	https://github.com/apache/mina-sshd	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0-M19	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo	404
org.apache.maven:[email protected]	False	3.8.5	https://github.com/apache/maven	The given tag was not found in the repo	404
org.jetbrains:[email protected]	False	13.0	https://github.com/jetbrains/intellij-community	The given tag was not found in the repo	404
dev.equo.ide:[email protected]	False	1.7.5	https://github.com/equodev/equo-ide	The given tag was not found in the repo	404
org.apache.maven.release:[email protected]	False	3.1.1	https://github.com/apache/maven-release	The given tag was not found in the repo	404
org.apache.maven:[email protected]	False	3.8.5	https://github.com/apache/maven	The given tag was not found in the repo	404
org.apache.maven.surefire:[email protected]	False	3.5.1	https://github.com/apache/maven-surefire	The given tag was not found in the repo	404
org.junit.platform:[email protected]	False	1.11.2	https://github.com/junit-team/junit5	The given tag was not found in the repo	404
org.apache.maven.scm:[email protected]	False	2.1.0	https://github.com/apache/maven-scm	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia	The given tag was not found in the repo	404
org.apache.maven.surefire:[email protected]	False	3.5.1	https://github.com/apache/maven-surefire	The given tag was not found in the repo	404
org.apache.maven.plugin-tools:[email protected]	False	3.12.0	https://github.com/apache/maven-plugin-tools	The given tag was not found in the repo	404
org.apache.maven.scm:[email protected]	False	2.1.0	https://github.com/apache/maven-scm	The given tag was not found in the repo	404
org.apache.maven.release:[email protected]	False	3.1.1	https://github.com/apache/maven-release	The given tag was not found in the repo	404
org.apache.maven.surefire:[email protected]	False	3.5.1	https://github.com/apache/maven-surefire	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0-M19	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0-M19	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0-M19	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo	404
org.checkerframework:[email protected]	False	3.43.0	https://github.com/typetools/checker-framework	The given tag was not found in the repo	404
org.apache.maven.release:[email protected]	False	3.1.1	https://github.com/apache/maven-release	The given tag was not found in the repo	404
org.apache.maven.resolver:[email protected]	False	1.6.3	https://github.com/apache/maven-resolver	The given tag was not found in the repo	404
org.apache.maven.plugins:[email protected]	False	3.5.1	https://github.com/apache/maven-surefire	The given tag was not found in the repo	404
org.apache.maven:[email protected]	False	3.8.5	https://github.com/apache/maven	The given tag was not found in the repo	404
org.apache.maven:[email protected]	False	3.6.0	https://github.com/apache/maven	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0-M12	https://github.com/apache/maven-doxia	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0-M12	https://github.com/apache/maven-doxia	The given tag was not found in the repo	404
org.apache.maven.resolver:[email protected]	False	1.4.1	https://github.com/apache/maven-resolver	The given tag was not found in the repo	404
org.junit.platform:[email protected]	False	1.11.2	https://github.com/junit-team/junit5	The given tag was not found in the repo	404
org.apache.maven.scm:[email protected]	False	2.1.0	https://github.com/apache/maven-scm	The given tag was not found in the repo	404
org.apache.maven.scm:[email protected]	False	2.1.0	https://github.com/apache/maven-scm	The given tag was not found in the repo	404
org.apache.httpcomponents:[email protected]	False	4.5.14	https://github.com/apache/httpcomponents-client	The given tag was not found in the repo	404
org.apache.sshd:[email protected]	False	2.7.0	https://github.com/apache/mina-sshd	The given tag was not found in the repo	404
org.apache.maven.surefire:[email protected]	False	3.5.1	https://github.com/apache/maven-surefire	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0-M12	https://github.com/apache/maven-doxia	The given tag was not found in the repo	404
org.apache.maven.resolver:[email protected]	False	1.6.3	https://github.com/apache/maven-resolver	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia	The given tag was not found in the repo	404
commons-codec:[email protected]	False	1.16.1	https://github.com/apache/commons-codec	The given tag was not found in the repo	404
org.apache.maven.surefire:[email protected]	False	3.5.1	https://github.com/apache/maven-surefire	The given tag was not found in the repo	404
org.apache.maven.plugin-tools:[email protected]	False	3.6.4	https://github.com/apache/maven-plugin-tools	The given tag was not found in the repo	404
org.apache.sshd:[email protected]	False	2.7.0	https://github.com/apache/mina-sshd	The given tag was not found in the repo	404
org.junit.platform:[email protected]	False	1.11.2	https://github.com/junit-team/junit5	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0-M12	https://github.com/apache/maven-doxia	The given tag was not found in the repo	404
org.codehaus.plexus:[email protected]	False	1.2.0	https://github.com/codehaus-plexus/plexus-languages	The given tag was not found in the repo	404
com.diffplug.spotless:[email protected]	False	2.43.0	https://github.com/diffplug/spotless	The given tag was not found in the repo	404
org.apache.maven.resolver:[email protected]	False	1.6.3	https://github.com/apache/maven-resolver	The given tag was not found in the repo	404
org.apache.maven:[email protected]	False	3.8.5	https://github.com/apache/maven	The given tag was not found in the repo	404
org.javassist:[email protected]	False	3.28.0-GA	https://github.com/jboss-javassist/javassist	The given tag was not found in the repo	404
com.diffplug.durian:[email protected]	False	1.2.0	https://github.com/diffplug/durian	The given tag was not found in the repo	404
org.apache.maven.release:[email protected]	False	3.1.1	https://github.com/apache/maven-release	The given tag was not found in the repo	404
org.apache.maven.surefire:[email protected]	False	3.5.1	https://github.com/apache/maven-surefire	The given tag was not found in the repo	404
com.diffplug.durian:[email protected]	False	1.2.0	https://github.com/diffplug/durian	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia	The given tag was not found in the repo	404
org.apache.maven.scm:[email protected]	False	2.1.0	https://github.com/apache/maven-scm	The given tag was not found in the repo	404
org.apache.maven.scm:[email protected]	False	2.1.0	https://github.com/apache/maven-scm	The given tag was not found in the repo	404
ch.qos.reload4j:[email protected]	False	1.2.22	https://github.com/qos-ch/reload4j	The given tag was not found in the repo	404
org.codehaus.plexus:[email protected]	False	2.15.0	https://github.com/codehaus-plexus/plexus-compiler	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia	The given tag was not found in the repo	404

The package manager (maven) does not support checking for deprecated packages.

List of packages from fork(2)

package_name	deprecated_in_version	provenance_in_version	all_deprecated	github_url	github_exists	github_redirected	archived	is_fork	forked_from	open_issues_count	is_match	release_tag_exists	tag_version	tag_url	tag_related_info	status_code_for_release_tag
org.whitesource:[email protected]				https://github.com/whitesource/maven-dependency-tree-parser	True	False	False	True	https://github.com/adutra/maven-dependency-tree-parser	0		True	1.0.6	https://api.github.com/repos/whitesource/maven-dependency-tree-parser/git/ref/tags/maven-dependency-tree-parser-1.0.6	Tag maven-dependency-tree-parser-1.0.6 is found in the repo	200
com.github.cliftonlabs:[email protected]				https://github.com/cliftonlabs/json-simple	True	False	False	True	https://github.com/fangyidong/json-simple	1		True	3.0.2	https://api.github.com/repos/cliftonlabs/json-simple/git/ref/tags/json-simple-3.0.2	Tag json-simple-3.0.2 is found in the repo	200

Call to Action:

👻What do I do now?

For packages without source code & accessible release tags:

    Pull Request to the maintainer of dependency, requesting correct repository metadata and proper tagging. 

For deprecated packages:

    1. Confirm the maintainer’s deprecation intention 
    2. Check for not deprecated versions

For packages without provenance:

    Open an issue in the dependency’s repository to request the inclusion of provenance and build attestation in the CI/CD pipeline. 

For packages that are forks

    Inspect the package and its GitHub repository to verify the fork is not malicious.

---

Report created by dirty-waters.

Report created on 2024-11-21 14:51:10

• Tool version: 6119cfe3
• Project Name: INRIA/spoon
• Project Version: v11.1.1-beta-9

New report, with the updates from chains-project/dirty-waters#39

Software Supply Chain Report of INRIA/spoon - v11.1.1-beta-9

How to read the results 📖

Dirty-waters has analyzed your project dependencies and found different categories for each of them:

• ⚠️⚠️⚠️ : high severity

• ⚠️⚠️: medium severity

• ⚠️: low severity

Total packages in the supply chain: 352

❗ Packages with no Source Code URL(⚠️⚠️⚠️) 4

⛔ Packages with Github URLs that are 404(⚠️⚠️⚠️) 78

🔧 Packages with accessible source code repos but inaccessible GitHub tags(⚠️⚠️⚠️) 100

🌵 Packages that are forks(⚠️⚠️) 2

Fine grained information

🐬 For further information about software supply chain smells in your project, take a look at the following tables.

Source code links that could not be found(82)

index	package_name	github_url	github_exists
1	org.sonatype.sisu:sisu-guice@noaop:2.1.7	No_repo_info_found
2	com.google.inject:guice@no_aop:4.2.2	No_repo_info_found
3	org.sonatype.plexus:[email protected]	No_repo_info_found
4	org.sonatype.plexus:[email protected]	No_repo_info_found
5	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-gfm-strikethrough	False
6	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-yaml-front-matter	False
7	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-format	False
8	org.sonatype.aether:[email protected]	https://github.com/sonatype/sonatype-aether.git/aether-util	False
9	com.google.guava:[email protected]	https://github.com/google/guava/failureaccess	False
10	org.sonatype.aether:[email protected]	https://github.com/sonatype/sonatype-aether.git/aether-impl	False
11	org.semver:[email protected]	https://github.com/jeluard/semantic-versioning/api	False
12	net.bytebuddy:[email protected]	https://github.com/raphw/byte-buddy.git/byte-buddy	False
13	org.eclipse.sisu:[email protected]	https://github.com/eclipse/sisu.plexus/org.eclipse.sisu.plexus	False
14	org.slf4j:[email protected]	https://github.com/qos-ch/slf4j/slf4j-reload4j	False
15	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-html	False
16	org.slf4j:[email protected]	https://github.com/qos-ch/slf4j/slf4j-parent/slf4j-api	False
17	net.bytebuddy:[email protected]	https://github.com/raphw/byte-buddy.git/byte-buddy	False
18	org.codehaus.plexus:[email protected]	https://github.com/codehaus-plexus/plexus-containers/plexus-component-annotations	False
19	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-misc	False
20	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-escaped-character	False
21	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-sequence	False
22	org.sonatype.aether:[email protected]	https://github.com/sonatype/sonatype-aether.git/aether-api	False
23	se.kth.castor:[email protected]	https://github.com/castor-software/depclean/depclean-maven-plugin	False
24	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-ast	False
25	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-server	False
26	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-security	False
27	com.google.errorprone:[email protected]	https://github.com/google/error-prone/error_prone_annotations	False
28	org.jdom:[email protected]	https://github.com//hunterhacker/jdom	False
29	org.codehaus.plexus:[email protected]	https://github.com/codehaus-plexus/plexus-containers/plexus-component-annotations	False
30	se.kth.castor:[email protected]	https://github.com/castor-software/depclean/depclean-core	False
31	org.slf4j:[email protected]	https://github.com/qos-ch/slf4j/slf4j-api	False
32	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-http	False
33	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-wikilink	False
34	org.iq80.snappy:[email protected]	https://github.com/dain/snapy	False
35	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-util-ajax	False
36	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-io	False
37	org.slf4j:[email protected]	https://github.com/qos-ch/slf4j/slf4j-parent/slf4j-api	False
38	org.assertj:[email protected]	https://github.com/assertj/assertj/assertj-parent/assertj-core	False
39	ch.qos.logback:[email protected]	https://github.com/qos-ch/logback/logback-core	False
40	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util	False
41	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-data	False
42	com.google.guava:[email protected]	https://github.com/google/guava/failureaccess	False
43	org.codehaus.plexus:[email protected]	https://github.com/codehaus-plexus/plexus-containers/plexus-component-annotations	False
44	org.slf4j:[email protected]	https://github.com/qos-ch/slf4j/slf4j-api	False
45	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-util	False
46	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-tables	False
47	org.eclipse.sisu:[email protected]	https://github.com/eclipse/sisu.inject/org.eclipse.sisu.plexus	False
48	com.google.guava:[email protected]	https://github.com/google/guava/guava	False
49	com.google.errorprone:[email protected]	https://github.com/google/error-prone/error_prone_annotations	False
50	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-dependency	False
51	com.google.errorprone:[email protected]	https://github.com/google/error-prone/error_prone_annotations	False
52	com.google.code.gson:[email protected]	https://github.com/google/gson/gson	False
53	javax.xml.bind:[email protected]	https://github.com/javaee/jaxb-spec.git/jaxb-api	False
54	org.slf4j:[email protected]	https://github.com/qos-ch/slf4j/slf4j-api	False
55	org.codehaus.plexus:[email protected]	https://github.com/codehaus-plexus/plexus-interactivity/plexus-interactivity-api	False
56	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-collection	False
57	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark	False
58	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-options	False
59	org.eclipse.sisu:[email protected]	https://github.com/eclipse/sisu.inject/org.eclipse.sisu.inject	False
60	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-builder	False
61	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-visitor	False
62	org.sonatype.aether:[email protected]	https://github.com/sonatype/sonatype-aether.git/aether-spi	False
63	org.objenesis:[email protected]	https://github.com/easymock/objenesis/objenesis	False
64	com.google.guava:[email protected]	https://github.com/google/guava/guava	False
65	org.sonatype.sisu:[email protected]	https://github.com/sonatype/sisu.git/sisu-inject/guice-bean/guice-plexus/sisu-inject-plexus	False
66	org.slf4j:[email protected]	https://github.com/qos-ch/slf4j/jcl-over-slf4j	False
67	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-xml	False
68	net.bytebuddy:[email protected]	https://github.com/raphw/byte-buddy.git/byte-buddy	False
69	org.sonatype.sisu:[email protected]	https://github.com/sonatype/sisu.git/sisu-inject/guice-bean/sisu-inject-bean	False
70	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-abbreviation	False
71	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-webapp	False
72	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-definition	False
73	com.google.guava:[email protected]	https://github.com/google/guava/guava	False
74	org.apache.maven.plugin-testing:[email protected]	https://github.com/apache/maven-plugin-testing/maven-plugin-testing-tools	False
75	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-autolink	False
76	net.bytebuddy:[email protected]	https://github.com/raphw/byte-buddy.git/byte-buddy-agent	False
77	com.google.guava:[email protected]	https://github.com/google/guava/listenablefuture	False
78	ch.qos.logback:[email protected]	https://github.com/qos-ch/logback/logback-classic	False
79	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-servlet	False
80	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-typographic	False
81	org.jgrapht:[email protected]	https://github.com/jgrapht/jgrapht.git/jgrapht-core	False
82	org.eclipse.sisu:[email protected]	https://github.com/eclipse/sisu.inject/org.eclipse.sisu.inject	False

List of packages with available source code repos but with inaccessible tags(100)

package_name	release_tag_exists	tag_version	github_url	tag_related_info	status_code_for_release_tag
commons-codec:[email protected]	False	1.17.1	https://github.com/apache/commons-codec	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo	404
org.checkerframework:[email protected]	False	3.12.0	https://github.com/typetools/checker-framework	The given tag was not found in the repo	404
com.diffplug.durian:[email protected]	False	4.2.2	https://github.com/diffplug/durian-swt	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo	404
org.apache.maven.scm:[email protected]	False	2.1.0	https://github.com/apache/maven-scm	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo	404
org.eclipse.jdt:[email protected]	False	3.38.0	https://github.com/eclipse-jdt/eclipse.jdt.core	The given tag was not found in the repo	404
org.apache.maven.scm:[email protected]	False	2.1.0	https://github.com/apache/maven-scm	The given tag was not found in the repo	404
org.apache.maven.resolver:[email protected]	False	1.9.18	https://github.com/apache/maven-resolver	The given tag was not found in the repo	404
org.apache.maven.resolver:[email protected]	False	1.4.1	https://github.com/apache/maven-resolver	The given tag was not found in the repo	404
org.codehaus.plexus:[email protected]	False	2.2.0	https://github.com/codehaus-plexus/plexus-containers	The given tag was not found in the repo	404
org.apache.maven:[email protected]	False	3.8.5	https://github.com/apache/maven	The given tag was not found in the repo	404
commons-codec:[email protected]	False	1.17.0	https://github.com/apache/commons-codec	The given tag was not found in the repo	404
org.apache.maven.wagon:[email protected]	False	3.5.3	https://github.com/apache/maven-wagon	The given tag was not found in the repo	404
org.apache.maven.scm:[email protected]	False	2.1.0	https://github.com/apache/maven-scm	The given tag was not found in the repo	404
org.eclipse.jdt:[email protected]	False	3.38.0	https://github.com/eclipse-jdt/eclipse.jdt.core	The given tag was not found in the repo	404
org.eclipse.platform:[email protected]	False	3.18.300	https://github.com/eclipse-equinox/equinox	The given tag was not found in the repo	404
org.codehaus.plexus:[email protected]	False	1.3.0	https://github.com/codehaus-plexus/plexus-languages	The given tag was not found in the repo	404
org.apache.maven.surefire:[email protected]	False	3.5.1	https://github.com/apache/maven-surefire	The given tag was not found in the repo	404
org.apache.maven.resolver:[email protected]	False	1.6.3	https://github.com/apache/maven-resolver	The given tag was not found in the repo	404
commons-codec:[email protected]	False	1.16.0	https://github.com/apache/commons-codec	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0-M12	https://github.com/apache/maven-doxia	The given tag was not found in the repo	404
org.apache.maven:[email protected]	False	3.8.5	https://github.com/apache/maven	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo	404
org.codehaus.plexus:[email protected]	False	2.15.0	https://github.com/codehaus-plexus/plexus-compiler	The given tag was not found in the repo	404
org.apache.maven:[email protected]	False	3.8.5	https://github.com/apache/maven	The given tag was not found in the repo	404
org.codehaus.plexus:[email protected]	False	2.15.0	https://github.com/codehaus-plexus/plexus-compiler	The given tag was not found in the repo	404
org.apache.maven:[email protected]	False	3.8.5	https://github.com/apache/maven	The given tag was not found in the repo	404
org.apache.httpcomponents:[email protected]	False	4.4.16	https://github.com/apache/httpcomponents-core	The given tag was not found in the repo	404
com.diffplug.durian:[email protected]	False	1.2.0	https://github.com/diffplug/durian	The given tag was not found in the repo	404
org.apache.sshd:[email protected]	False	2.7.0	https://github.com/apache/mina-sshd	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0-M12	https://github.com/apache/maven-doxia	The given tag was not found in the repo	404
org.apache.maven.resolver:[email protected]	False	1.9.18	https://github.com/apache/maven-resolver	The given tag was not found in the repo	404
org.apache.maven:[email protected]	False	3.8.5	https://github.com/apache/maven	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0-M12	https://github.com/apache/maven-doxia	The given tag was not found in the repo	404
com.mysema.querydsl:[email protected]	False	3.7.4	https://github.com/querydsl/querydsl	The given tag was not found in the repo	404
com.diffplug.spotless:[email protected]	False	2.45.0	https://github.com/diffplug/spotless	The given tag was not found in the repo	404
org.apache.maven.plugins:[email protected]	False	3.1.1	https://github.com/apache/maven-release	The given tag was not found in the repo	404
com.diffplug.spotless:[email protected]	False	2.45.0	https://github.com/diffplug/spotless	The given tag was not found in the repo	404
org.apache.maven:[email protected]	False	3.8.5	https://github.com/apache/maven	The given tag was not found in the repo	404
org.apache.sshd:[email protected]	False	2.7.0	https://github.com/apache/mina-sshd	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0-M19	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo	404
org.apache.maven:[email protected]	False	3.8.5	https://github.com/apache/maven	The given tag was not found in the repo	404
org.jetbrains:[email protected]	False	13.0	https://github.com/jetbrains/intellij-community	The given tag was not found in the repo	404
dev.equo.ide:[email protected]	False	1.7.5	https://github.com/equodev/equo-ide	The given tag was not found in the repo	404
org.apache.maven.release:[email protected]	False	3.1.1	https://github.com/apache/maven-release	The given tag was not found in the repo	404
org.apache.maven:[email protected]	False	3.8.5	https://github.com/apache/maven	The given tag was not found in the repo	404
org.apache.maven.surefire:[email protected]	False	3.5.1	https://github.com/apache/maven-surefire	The given tag was not found in the repo	404
org.junit.platform:[email protected]	False	1.11.2	https://github.com/junit-team/junit5	The given tag was not found in the repo	404
org.apache.maven.scm:[email protected]	False	2.1.0	https://github.com/apache/maven-scm	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia	The given tag was not found in the repo	404
org.apache.maven.surefire:[email protected]	False	3.5.1	https://github.com/apache/maven-surefire	The given tag was not found in the repo	404
org.apache.maven.plugin-tools:[email protected]	False	3.12.0	https://github.com/apache/maven-plugin-tools	The given tag was not found in the repo	404
org.apache.maven.scm:[email protected]	False	2.1.0	https://github.com/apache/maven-scm	The given tag was not found in the repo	404
org.apache.maven.release:[email protected]	False	3.1.1	https://github.com/apache/maven-release	The given tag was not found in the repo	404
org.apache.maven.surefire:[email protected]	False	3.5.1	https://github.com/apache/maven-surefire	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0-M19	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0-M19	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0-M19	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo	404
org.checkerframework:[email protected]	False	3.43.0	https://github.com/typetools/checker-framework	The given tag was not found in the repo	404
org.apache.maven.release:[email protected]	False	3.1.1	https://github.com/apache/maven-release	The given tag was not found in the repo	404
org.apache.maven.resolver:[email protected]	False	1.6.3	https://github.com/apache/maven-resolver	The given tag was not found in the repo	404
org.apache.maven.plugins:[email protected]	False	3.5.1	https://github.com/apache/maven-surefire	The given tag was not found in the repo	404
org.apache.maven:[email protected]	False	3.8.5	https://github.com/apache/maven	The given tag was not found in the repo	404
org.apache.maven:[email protected]	False	3.6.0	https://github.com/apache/maven	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0-M12	https://github.com/apache/maven-doxia	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0-M12	https://github.com/apache/maven-doxia	The given tag was not found in the repo	404
org.apache.maven.resolver:[email protected]	False	1.4.1	https://github.com/apache/maven-resolver	The given tag was not found in the repo	404
org.junit.platform:[email protected]	False	1.11.2	https://github.com/junit-team/junit5	The given tag was not found in the repo	404
org.apache.maven.scm:[email protected]	False	2.1.0	https://github.com/apache/maven-scm	The given tag was not found in the repo	404
org.apache.maven.scm:[email protected]	False	2.1.0	https://github.com/apache/maven-scm	The given tag was not found in the repo	404
org.apache.httpcomponents:[email protected]	False	4.5.14	https://github.com/apache/httpcomponents-client	The given tag was not found in the repo	404
org.apache.sshd:[email protected]	False	2.7.0	https://github.com/apache/mina-sshd	The given tag was not found in the repo	404
org.apache.maven.surefire:[email protected]	False	3.5.1	https://github.com/apache/maven-surefire	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0-M12	https://github.com/apache/maven-doxia	The given tag was not found in the repo	404
org.apache.maven.resolver:[email protected]	False	1.6.3	https://github.com/apache/maven-resolver	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia	The given tag was not found in the repo	404
commons-codec:[email protected]	False	1.16.1	https://github.com/apache/commons-codec	The given tag was not found in the repo	404
org.apache.maven.surefire:[email protected]	False	3.5.1	https://github.com/apache/maven-surefire	The given tag was not found in the repo	404
org.apache.maven.plugin-tools:[email protected]	False	3.6.4	https://github.com/apache/maven-plugin-tools	The given tag was not found in the repo	404
org.apache.sshd:[email protected]	False	2.7.0	https://github.com/apache/mina-sshd	The given tag was not found in the repo	404
org.junit.platform:[email protected]	False	1.11.2	https://github.com/junit-team/junit5	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0-M12	https://github.com/apache/maven-doxia	The given tag was not found in the repo	404
org.codehaus.plexus:[email protected]	False	1.2.0	https://github.com/codehaus-plexus/plexus-languages	The given tag was not found in the repo	404
com.diffplug.spotless:[email protected]	False	2.43.0	https://github.com/diffplug/spotless	The given tag was not found in the repo	404
org.apache.maven.resolver:[email protected]	False	1.6.3	https://github.com/apache/maven-resolver	The given tag was not found in the repo	404
org.apache.maven:[email protected]	False	3.8.5	https://github.com/apache/maven	The given tag was not found in the repo	404
org.javassist:[email protected]	False	3.28.0-GA	https://github.com/jboss-javassist/javassist	The given tag was not found in the repo	404
com.diffplug.durian:[email protected]	False	1.2.0	https://github.com/diffplug/durian	The given tag was not found in the repo	404
org.apache.maven.release:[email protected]	False	3.1.1	https://github.com/apache/maven-release	The given tag was not found in the repo	404
org.apache.maven.surefire:[email protected]	False	3.5.1	https://github.com/apache/maven-surefire	The given tag was not found in the repo	404
com.diffplug.durian:[email protected]	False	1.2.0	https://github.com/diffplug/durian	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia	The given tag was not found in the repo	404
org.apache.maven.scm:[email protected]	False	2.1.0	https://github.com/apache/maven-scm	The given tag was not found in the repo	404
org.apache.maven.scm:[email protected]	False	2.1.0	https://github.com/apache/maven-scm	The given tag was not found in the repo	404
ch.qos.reload4j:[email protected]	False	1.2.22	https://github.com/qos-ch/reload4j	The given tag was not found in the repo	404
org.codehaus.plexus:[email protected]	False	2.15.0	https://github.com/codehaus-plexus/plexus-compiler	The given tag was not found in the repo	404
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia	The given tag was not found in the repo	404

The package manager (maven) does not support checking for deprecated packages.

List of packages from fork(2)

package_name	deprecated_in_version	provenance_in_version	all_deprecated	github_url	github_exists	github_redirected	archived	is_fork	forked_from	open_issues_count	is_match	release_tag_exists	tag_version	tag_url	tag_related_info	status_code_for_release_tag
org.whitesource:[email protected]				https://github.com/whitesource/maven-dependency-tree-parser	True	False	False	True	https://github.com/adutra/maven-dependency-tree-parser	0		True	1.0.6	https://api.github.com/repos/whitesource/maven-dependency-tree-parser/git/ref/tags/maven-dependency-tree-parser-1.0.6	Tag maven-dependency-tree-parser-1.0.6 is found in the repo	200
com.github.cliftonlabs:[email protected]				https://github.com/cliftonlabs/json-simple	True	False	False	True	https://github.com/fangyidong/json-simple	1		True	3.0.2	https://api.github.com/repos/cliftonlabs/json-simple/git/ref/tags/json-simple-3.0.2	Tag json-simple-3.0.2 is found in the repo	200

Call to Action:

👻What do I do now?

For packages without source code & accessible release tags:

    Pull Request to the maintainer of dependency, requesting correct repository metadata and proper tagging. 

For deprecated packages:

    1. Confirm the maintainer’s deprecation intention 
    2. Check for not deprecated versions

For packages without provenance:

    Open an issue in the dependency’s repository to request the inclusion of provenance and build attestation in the CI/CD pipeline. 

For packages that are forks

    Inspect the package and its GitHub repository to verify the fork is not malicious.

---

Report created by dirty-waters.

Report created on 2024-11-21 14:51:10

• Tool version: 6119cfe3
• Project Name: INRIA/spoon
• Project Version: v11.1.1-beta-9

thanks @randomicecube updated themain Gist

@monperrus after the current work with the updates from chains-project/dirty-waters#60, the report is currently as follows (of note, I would emphasize the huge decrease in tags not found!):

Software Supply Chain Report of INRIA/spoon - v11.1.1-beta-9

Enabled Checks

The following checks were specifically requested:

• Source Code
• Release Tags
• Deprecated
• Forks
• Provenance
• Code Signature

---

How to read the results 📖

Dirty-waters has analyzed your project dependencies and found different categories for each of them:

• ⚠️⚠️⚠️ : high severity

• ⚠️⚠️: medium severity

• ⚠️: low severity

Total packages in the supply chain: 351

❗ Packages with no Source Code URL(⚠️⚠️⚠️) 4

⛔ Packages with Github URLs that are 404(⚠️⚠️⚠️) 77

🔧 Packages with accessible source code repos but inaccessible GitHub tags(⚠️⚠️⚠️) 30

🌵 Packages that are forks(⚠️⚠️) 2

🔒 Packages without code signature(⚠️⚠️) 10

Fine grained information

🐬 For further information about software supply chain smells in your project, take a look at the following tables.

Source code links that could not be found(81)

index	package_name	github_url	github_exists
1	com.google.inject:guice@no_aop	No_repo_info_found
2	org.sonatype.sisu:sisu-guice@noaop	No_repo_info_found
3	org.sonatype.plexus:[email protected]	No_repo_info_found
4	org.sonatype.plexus:[email protected]	No_repo_info_found
5	com.google.errorprone:[email protected]	https://github.com/google/error-prone/error_prone_annotations	False
6	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-io	False
7	org.sonatype.aether:[email protected]	https://github.com/sonatype/sonatype-aether.git/aether-impl	False
8	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-options	False
9	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-abbreviation	False
10	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-definition	False
11	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-gfm-strikethrough	False
12	org.jgrapht:[email protected]	https://github.com/jgrapht/jgrapht.git/jgrapht-core	False
13	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-html	False
14	org.slf4j:[email protected]	https://github.com/qos-ch/slf4j/jcl-over-slf4j	False
15	com.google.guava:[email protected]	https://github.com/google/guava/failureaccess	False
16	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-security	False
17	org.assertj:[email protected]	https://github.com/assertj/assertj/assertj-parent/assertj-core	False
18	org.codehaus.plexus:[email protected]	https://github.com/codehaus-plexus/plexus-containers/plexus-component-annotations	False
19	org.apache.maven.plugin-testing:[email protected]	https://github.com/apache/maven-plugin-testing/maven-plugin-testing-tools	False
20	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark	False
21	org.codehaus.plexus:[email protected]	https://github.com/codehaus-plexus/plexus-interactivity/plexus-interactivity-api	False
22	org.sonatype.aether:[email protected]	https://github.com/sonatype/sonatype-aether.git/aether-spi	False
23	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-util	False
24	com.google.code.gson:[email protected]	https://github.com/google/gson/gson	False
25	com.google.guava:[email protected]	https://github.com/google/guava/guava	False
26	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-xml	False
27	net.bytebuddy:[email protected]	https://github.com/raphw/byte-buddy.git/byte-buddy-agent	False
28	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-tables	False
29	org.sonatype.aether:[email protected]	https://github.com/sonatype/sonatype-aether.git/aether-api	False
30	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-http	False
31	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-ast	False
32	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-servlet	False
33	se.kth.castor:[email protected]	https://github.com/castor-software/depclean/depclean-core	False
34	org.codehaus.plexus:[email protected]	https://github.com/codehaus-plexus/plexus-containers/plexus-component-annotations	False
35	javax.xml.bind:[email protected]	https://github.com/javaee/jaxb-spec.git/jaxb-api	False
36	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-yaml-front-matter	False
37	net.bytebuddy:[email protected]	https://github.com/raphw/byte-buddy.git/byte-buddy	False
38	org.sonatype.sisu:[email protected]	https://github.com/sonatype/sisu.git/sisu-inject/guice-bean/sisu-inject-bean	False
39	org.iq80.snappy:[email protected]	https://github.com/dain/snapy	False
40	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-wikilink	False
41	com.google.errorprone:[email protected]	https://github.com/google/error-prone/error_prone_annotations	False
42	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-data	False
43	org.semver:[email protected]	https://github.com/jeluard/semantic-versioning/api	False
44	com.google.errorprone:[email protected]	https://github.com/google/error-prone/error_prone_annotations	False
45	org.slf4j:[email protected]	https://github.com/qos-ch/slf4j/slf4j-reload4j	False
46	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-builder	False
47	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-misc	False
48	se.kth.castor:[email protected]	https://github.com/castor-software/depclean/depclean-maven-plugin	False
49	ch.qos.logback:[email protected]	https://github.com/qos-ch/logback/logback-classic	False
50	javax.activation:[email protected]	https://github.com/javaee/activation/javax.activation-api	False
51	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-autolink	False
52	com.google.guava:[email protected]	https://github.com/google/guava/listenablefuture	False
53	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-escaped-character	False
54	org.eclipse.sisu:[email protected]	https://github.com/eclipse/sisu.inject/org.eclipse.sisu.inject	False
55	org.slf4j:[email protected]	https://github.com/qos-ch/slf4j/slf4j-parent/slf4j-api	False
56	org.eclipse.sisu:[email protected]	https://github.com/eclipse/sisu.inject/org.eclipse.sisu.inject	False
57	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util	False
58	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-visitor	False
59	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-sequence	False
60	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-server	False
61	org.slf4j:[email protected]	https://github.com/qos-ch/slf4j/slf4j-api	False
62	com.google.guava:[email protected]	https://github.com/google/guava/failureaccess	False
63	org.sonatype.aether:[email protected]	https://github.com/sonatype/sonatype-aether.git/aether-util	False
64	com.google.guava:[email protected]	https://github.com/google/guava/guava	False
65	com.google.guava:[email protected]	https://github.com/google/guava/guava	False
66	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-ext-typographic	False
67	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-util-ajax	False
68	org.codehaus.plexus:[email protected]	https://github.com/codehaus-plexus/plexus-containers/plexus-component-annotations	False
69	org.eclipse.sisu:[email protected]	https://github.com/eclipse/sisu.inject/org.eclipse.sisu.plexus	False
70	org.eclipse.sisu:[email protected]	https://github.com/eclipse/sisu.plexus/org.eclipse.sisu.plexus	False
71	org.jdom:[email protected]	https://github.com//hunterhacker/jdom	False
72	org.slf4j:[email protected]	https://github.com/qos-ch/slf4j/slf4j-api	False
73	org.sonatype.sisu:[email protected]	https://github.com/sonatype/sisu.git/sisu-inject/guice-bean/guice-plexus/sisu-inject-plexus	False
74	net.bytebuddy:[email protected]	https://github.com/raphw/byte-buddy.git/byte-buddy	False
75	org.objenesis:[email protected]	https://github.com/easymock/objenesis/objenesis	False
76	ch.qos.logback:[email protected]	https://github.com/qos-ch/logback/logback-core	False
77	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-dependency	False
78	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-format	False
79	org.eclipse.jetty:[email protected]	https://github.com/eclipse/jetty.project/jetty-webapp	False
80	org.slf4j:[email protected]	https://github.com/qos-ch/slf4j/slf4j-api	False
81	com.vladsch.flexmark:[email protected]	https://github.com/vsch/flexmark-java/flexmark-util-collection	False

List of packages with available source code repos but with inaccessible tags(30)

package_name	release_tag_exists	tag_version	github_url	tag_related_info	status_code_for_release_tag
commons-codec:[email protected]	False	1.17.0	https://github.com/apache/commons-codec	The given tag was not found in the repo
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo
org.eclipse.jdt:[email protected]	False	3.38.0	https://github.com/eclipse-jdt/eclipse.jdt.core	The given tag was not found in the repo
org.apache.maven.doxia:[email protected]	False	2.0.0-M19	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo
org.apache.maven.doxia:[email protected]	False	2.0.0-M19	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo
commons-codec:[email protected]	False	1.16.0	https://github.com/apache/commons-codec	The given tag was not found in the repo
commons-codec:[email protected]	False	1.16.1	https://github.com/apache/commons-codec	The given tag was not found in the repo
org.apache.httpcomponents:[email protected]	False	4.5.14	https://github.com/apache/httpcomponents-client	The given tag was not found in the repo
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo
org.junit.platform:[email protected]	False	1.11.2	https://github.com/junit-team/junit5	The given tag was not found in the repo
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo
org.jetbrains:[email protected]	False	13.0	https://github.com/jetbrains/intellij-community	The given tag was not found in the repo
org.apache.maven.doxia:[email protected]	False	2.0.0-M19	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo
org.eclipse.jdt:[email protected]	False	3.38.0	https://github.com/eclipse-jdt/eclipse.jdt.core	The given tag was not found in the repo
org.junit.platform:[email protected]	False	1.11.2	https://github.com/junit-team/junit5	The given tag was not found in the repo
com.diffplug.spotless:[email protected]	False	2.43.0	https://github.com/diffplug/spotless	The given tag was not found in the repo
org.apache.httpcomponents:[email protected]	False	4.4.16	https://github.com/apache/httpcomponents-core	The given tag was not found in the repo
org.apache.maven.doxia:[email protected]	False	2.0.0-M19	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo
com.diffplug.spotless:[email protected]	False	2.45.0	https://github.com/diffplug/spotless	The given tag was not found in the repo
com.mysema.querydsl:[email protected]	False	3.7.4	https://github.com/querydsl/querydsl	The given tag was not found in the repo
com.diffplug.durian:[email protected]	False	1.2.0	https://github.com/diffplug/durian	The given tag was not found in the repo
org.junit.platform:[email protected]	False	1.11.2	https://github.com/junit-team/junit5	The given tag was not found in the repo
commons-codec:[email protected]	False	1.17.1	https://github.com/apache/commons-codec	The given tag was not found in the repo
com.diffplug.spotless:[email protected]	False	2.45.0	https://github.com/diffplug/spotless	The given tag was not found in the repo
org.javassist:[email protected]	False	3.28.0-GA	https://github.com/jboss-javassist/javassist	The given tag was not found in the repo
com.diffplug.durian:[email protected]	False	1.2.0	https://github.com/diffplug/durian	The given tag was not found in the repo
com.diffplug.durian:[email protected]	False	1.2.0	https://github.com/diffplug/durian	The given tag was not found in the repo
org.eclipse.platform:[email protected]	False	3.18.300	https://github.com/eclipse-equinox/equinox	The given tag was not found in the repo
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo
dev.equo.ide:[email protected]	False	1.7.5	https://github.com/equodev/equo-ide	The given tag was not found in the repo

The package manager (maven) does not support checking for deprecated packages.

List of packages from fork(2)

package_name	is_fork	parent_repo_link
com.github.cliftonlabs:[email protected]	True	https://github.com/fangyidong/json-simple
org.whitesource:[email protected]	True	https://github.com/adutra/maven-dependency-tree-parser

The package manager (maven) does not support checking for provenance.

List of packages without code signature(10)

package_name	signature_present
com.google.inject:guice@no_aop	False
com.martiansoftware:[email protected]	False
org.codehaus.plexus:[email protected]	False
javax.validation:[email protected]	False
com.google.code.findbugs:[email protected]	False
org.sonatype.sisu:sisu-guice@noaop	False
aopalliance:[email protected]	False
javax.inject:javax.inject@1	False
commons-lang:[email protected]	False
org.apache.maven.scm:[email protected]	False

All packages have valid code signature.

Call to Action:

👻What do I do now?

For packages without source code & accessible release tags:

    Pull Request to the maintainer of dependency, requesting correct repository metadata and proper tagging. 

For deprecated packages:

    1. Confirm the maintainer’s deprecation intention 
    2. Check for not deprecated versions

For packages without provenance:

    Open an issue in the dependency’s repository to request the inclusion of provenance and build attestation in the CI/CD pipeline. 

For packages that are forks

    Inspect the package and its GitHub repository to verify the fork is not malicious.

---

Report created by dirty-waters.

Report created on 2025-01-28 17:06:42

• Tool version: 0ec3119d
• Project Name: INRIA/spoon
• Project Version: v11.1.1-beta-9

I would emphasize the huge decrease in tags not found

Nice, well done!

Packages with no Source Code URL(⚠️⚠️⚠️) 4

The main goal is to bring that to 0, such that we can activate the dirty-waters CI check and fail the build if this is non zero.

New report, according to SCM-retrieval updates. Some edge cases remaining, will look into each of them concretely now.

Software Supply Chain Report of INRIA/spoon - v11.1.1-beta-9

Enabled Checks

The following checks were specifically requested:

• Source Code
• Release Tags
• Deprecated
• Forks
• Provenance
• Code Signature

---

How to read the results 📖

Dirty-waters has analyzed your project dependencies and found different categories for each of them:

• ⚠️⚠️⚠️ : high severity

• ⚠️⚠️: medium severity

• ⚠️: low severity

Total packages in the supply chain: 351

❗ Packages with no source code URL (⚠️⚠️⚠️) 4

⛔ Packages with repo URL that is 404 (⚠️⚠️⚠️) 1

🔧 Packages with inaccessible GitHub tag (⚠️⚠️⚠️) 54

🌵 Packages that are forks (⚠️⚠️) 3

🔒 Packages without code signature (⚠️⚠️) 10

Fine grained information

🐬 For further information about software supply chain smells in your project, take a look at the following tables.

Source code links that could not be found(5)

index	package_name	github_url	github_exists
1	com.google.inject:guice@no_aop	No_repo_info_found
2	org.sonatype.sisu:sisu-guice@noaop	No_repo_info_found
3	org.sonatype.plexus:[email protected]	No_repo_info_found
4	org.sonatype.plexus:[email protected]	No_repo_info_found
5	org.iq80.snappy:[email protected]	https://github.com/dain/snapy	False

List of packages with available source code repos but with inaccessible tags(54)

package_name	release_tag_exists	tag_version	github_url	tag_related_info	status_code_for_release_tag
commons-codec:[email protected]	False	1.17.0	https://github.com/apache/commons-codec	The given tag was not found in the repo
org.eclipse.jetty:[email protected]	False	9.4.54.v20240208	https://github.com/eclipse/jetty.project	The given tag was not found in the repo
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo
org.eclipse.jdt:[email protected]	False	3.38.0	https://github.com/eclipse-jdt/eclipse.jdt.core	The given tag was not found in the repo
org.apache.maven.doxia:[email protected]	False	2.0.0-M19	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo
org.eclipse.jetty:[email protected]	False	9.4.54.v20240208	https://github.com/eclipse/jetty.project	The given tag was not found in the repo
org.assertj:[email protected]	False	3.26.3	https://github.com/assertj/assertj	The given tag was not found in the repo
org.apache.maven.doxia:[email protected]	False	2.0.0-M19	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo
commons-codec:[email protected]	False	1.16.0	https://github.com/apache/commons-codec	The given tag was not found in the repo
org.eclipse.jetty:[email protected]	False	9.4.54.v20240208	https://github.com/eclipse/jetty.project	The given tag was not found in the repo
commons-codec:[email protected]	False	1.16.1	https://github.com/apache/commons-codec	The given tag was not found in the repo
com.google.code.gson:[email protected]	False	2.10	https://github.com/google/gson	The given tag was not found in the repo
com.google.guava:[email protected]	False	31.0.1-jre	https://github.com/google/guava	The given tag was not found in the repo
org.eclipse.jetty:[email protected]	False	9.4.54.v20240208	https://github.com/eclipse/jetty.project	The given tag was not found in the repo
org.apache.httpcomponents:[email protected]	False	4.5.14	https://github.com/apache/httpcomponents-client	The given tag was not found in the repo
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo
org.junit.platform:[email protected]	False	1.11.2	https://github.com/junit-team/junit5	The given tag was not found in the repo
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo
org.jetbrains:[email protected]	False	13.0	https://github.com/jetbrains/intellij-community	The given tag was not found in the repo
org.apache.maven.doxia:[email protected]	False	2.0.0-M19	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo
org.eclipse.jetty:[email protected]	False	9.4.54.v20240208	https://github.com/eclipse/jetty.project	The given tag was not found in the repo
org.eclipse.jetty:[email protected]	False	9.4.54.v20240208	https://github.com/eclipse/jetty.project	The given tag was not found in the repo
se.kth.castor:[email protected]	False	2.0.6	https://github.com/castor-software/depclean	The given tag was not found in the repo
org.eclipse.jdt:[email protected]	False	3.38.0	https://github.com/eclipse-jdt/eclipse.jdt.core	The given tag was not found in the repo
se.kth.castor:[email protected]	False	2.0.6	https://github.com/castor-software/depclean	The given tag was not found in the repo
javax.activation:[email protected]	False	1.2.0	https://github.com/javaee/activation	The given tag was not found in the repo
org.junit.platform:[email protected]	False	1.11.2	https://github.com/junit-team/junit5	The given tag was not found in the repo
com.google.guava:[email protected]	False	9999.0-empty-to-avoid-conflict-with-guava	https://github.com/google/guava	The given tag was not found in the repo
com.diffplug.spotless:[email protected]	False	2.43.0	https://github.com/diffplug/spotless	The given tag was not found in the repo
org.eclipse.sisu:[email protected]	False	0.9.0.M3	https://github.com/eclipse/sisu.inject	The given tag was not found in the repo
org.apache.httpcomponents:[email protected]	False	4.4.16	https://github.com/apache/httpcomponents-core	The given tag was not found in the repo
org.eclipse.sisu:[email protected]	False	0.9.0.M2	https://github.com/eclipse/sisu.inject	The given tag was not found in the repo
org.apache.maven.doxia:[email protected]	False	2.0.0-M19	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo
com.diffplug.spotless:[email protected]	False	2.45.0	https://github.com/diffplug/spotless	The given tag was not found in the repo
org.eclipse.jetty:[email protected]	False	9.4.54.v20240208	https://github.com/eclipse/jetty.project	The given tag was not found in the repo
com.mysema.querydsl:[email protected]	False	3.7.4	https://github.com/querydsl/querydsl	The given tag was not found in the repo
com.diffplug.durian:[email protected]	False	1.2.0	https://github.com/diffplug/durian	The given tag was not found in the repo
com.google.guava:[email protected]	False	31.1-jre	https://github.com/google/guava	The given tag was not found in the repo
com.google.guava:[email protected]	False	33.3.1-jre	https://github.com/google/guava	The given tag was not found in the repo
org.junit.platform:[email protected]	False	1.11.2	https://github.com/junit-team/junit5	The given tag was not found in the repo
commons-codec:[email protected]	False	1.17.1	https://github.com/apache/commons-codec	The given tag was not found in the repo
com.diffplug.spotless:[email protected]	False	2.45.0	https://github.com/diffplug/spotless	The given tag was not found in the repo
org.eclipse.jetty:[email protected]	False	9.4.54.v20240208	https://github.com/eclipse/jetty.project	The given tag was not found in the repo
org.javassist:[email protected]	False	3.28.0-GA	https://github.com/jboss-javassist/javassist	The given tag was not found in the repo
org.eclipse.sisu:[email protected]	False	0.9.0.M3	https://github.com/eclipse/sisu.inject	The given tag was not found in the repo
org.eclipse.sisu:[email protected]	False	0.9.0.M2	https://github.com/eclipse/sisu.plexus	The given tag was not found in the repo
org.jdom:[email protected]	False	2.0.6.1	https://github.com/hunterhacker/jdom	The given tag was not found in the repo
com.diffplug.durian:[email protected]	False	1.2.0	https://github.com/diffplug/durian	The given tag was not found in the repo
com.diffplug.durian:[email protected]	False	1.2.0	https://github.com/diffplug/durian	The given tag was not found in the repo
org.apache.maven.resolver:[email protected]	False	1.9.18	https://github.com/apache/maven-resolver	The given tag was not found in the repo
org.eclipse.jetty:[email protected]	False	9.4.54.v20240208	https://github.com/eclipse/jetty.project	The given tag was not found in the repo
org.eclipse.platform:[email protected]	False	3.18.300	https://github.com/eclipse-equinox/equinox	The given tag was not found in the repo
org.apache.maven.doxia:[email protected]	False	2.0.0	https://github.com/apache/maven-doxia-sitetools	The given tag was not found in the repo
dev.equo.ide:[email protected]	False	1.7.5	https://github.com/equodev/equo-ide	The given tag was not found in the repo

The package manager (maven) does not support checking for deprecated packages.

List of packages from fork(3)

package_name	is_fork	parent_repo_link
org.jgrapht:[email protected]	True	https://github.com/lingeringsocket/jgrapht
com.github.cliftonlabs:[email protected]	True	https://github.com/fangyidong/json-simple
org.whitesource:[email protected]	True	https://github.com/adutra/maven-dependency-tree-parser

The package manager (maven) does not support checking for provenance.

List of packages without code signature(10)

package_name	signature_present
com.google.inject:guice@no_aop	False
com.martiansoftware:[email protected]	False
org.codehaus.plexus:[email protected]	False
javax.validation:[email protected]	False
com.google.code.findbugs:[email protected]	False
org.sonatype.sisu:sisu-guice@noaop	False
aopalliance:[email protected]	False
javax.inject:javax.inject@1	False
commons-lang:[email protected]	False
org.apache.maven.scm:[email protected]	False

All packages have valid code signature.

Call to Action:

👻What do I do now?

For packages without source code & accessible release tags:

    Pull Request to the maintainer of dependency, requesting correct repository metadata and proper tagging. 

For deprecated packages:

    1. Confirm the maintainer’s deprecation intention 
    2. Check for not deprecated versions

For packages without provenance:

    Open an issue in the dependency’s repository to request the inclusion of provenance and build attestation in the CI/CD pipeline. 

For packages that are forks

    Inspect the package and its GitHub repository to verify the fork is not malicious.

---

Report created by dirty-waters.

Report created on 2025-01-29 19:06:05

• Tool version: 7690e8db
• Project Name: INRIA/spoon
• Project Version: v11.1.1-beta-9