New report, with the updates from chains-project/dirty-waters#39
How to read the results 📖
Dirty-waters has analyzed your project dependencies and found different categories for each of them:
-
⚠️ ⚠️ ⚠️ : high severity -
⚠️ ⚠️ : medium severity -
⚠️ : low severity
❗ Packages with no Source Code URL(
⛔ Packages with Github URLs that are 404(
🔧 Packages with accessible source code repos but inaccessible GitHub tags(
🌵 Packages that are forks(
🐬 For further information about software supply chain smells in your project, take a look at the following tables.
Source code links that could not be found(82)
List of packages with available source code repos but with inaccessible tags(100)
| package_name | release_tag_exists | tag_version | github_url | tag_related_info | status_code_for_release_tag |
|---|---|---|---|---|---|
| commons-codec:[email protected] | False | 1.17.1 | https://github.com/apache/commons-codec | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0 | https://github.com/apache/maven-doxia-sitetools | The given tag was not found in the repo | 404 |
| org.checkerframework:[email protected] | False | 3.12.0 | https://github.com/typetools/checker-framework | The given tag was not found in the repo | 404 |
| com.diffplug.durian:[email protected] | False | 4.2.2 | https://github.com/diffplug/durian-swt | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0 | https://github.com/apache/maven-doxia | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0 | https://github.com/apache/maven-doxia-sitetools | The given tag was not found in the repo | 404 |
| org.apache.maven.scm:[email protected] | False | 2.1.0 | https://github.com/apache/maven-scm | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0 | https://github.com/apache/maven-doxia-sitetools | The given tag was not found in the repo | 404 |
| org.eclipse.jdt:[email protected] | False | 3.38.0 | https://github.com/eclipse-jdt/eclipse.jdt.core | The given tag was not found in the repo | 404 |
| org.apache.maven.scm:[email protected] | False | 2.1.0 | https://github.com/apache/maven-scm | The given tag was not found in the repo | 404 |
| org.apache.maven.resolver:[email protected] | False | 1.9.18 | https://github.com/apache/maven-resolver | The given tag was not found in the repo | 404 |
| org.apache.maven.resolver:[email protected] | False | 1.4.1 | https://github.com/apache/maven-resolver | The given tag was not found in the repo | 404 |
| org.codehaus.plexus:[email protected] | False | 2.2.0 | https://github.com/codehaus-plexus/plexus-containers | The given tag was not found in the repo | 404 |
| org.apache.maven:[email protected] | False | 3.8.5 | https://github.com/apache/maven | The given tag was not found in the repo | 404 |
| commons-codec:[email protected] | False | 1.17.0 | https://github.com/apache/commons-codec | The given tag was not found in the repo | 404 |
| org.apache.maven.wagon:[email protected] | False | 3.5.3 | https://github.com/apache/maven-wagon | The given tag was not found in the repo | 404 |
| org.apache.maven.scm:[email protected] | False | 2.1.0 | https://github.com/apache/maven-scm | The given tag was not found in the repo | 404 |
| org.eclipse.jdt:[email protected] | False | 3.38.0 | https://github.com/eclipse-jdt/eclipse.jdt.core | The given tag was not found in the repo | 404 |
| org.eclipse.platform:[email protected] | False | 3.18.300 | https://github.com/eclipse-equinox/equinox | The given tag was not found in the repo | 404 |
| org.codehaus.plexus:[email protected] | False | 1.3.0 | https://github.com/codehaus-plexus/plexus-languages | The given tag was not found in the repo | 404 |
| org.apache.maven.surefire:[email protected] | False | 3.5.1 | https://github.com/apache/maven-surefire | The given tag was not found in the repo | 404 |
| org.apache.maven.resolver:[email protected] | False | 1.6.3 | https://github.com/apache/maven-resolver | The given tag was not found in the repo | 404 |
| commons-codec:[email protected] | False | 1.16.0 | https://github.com/apache/commons-codec | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0-M12 | https://github.com/apache/maven-doxia | The given tag was not found in the repo | 404 |
| org.apache.maven:[email protected] | False | 3.8.5 | https://github.com/apache/maven | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0 | https://github.com/apache/maven-doxia-sitetools | The given tag was not found in the repo | 404 |
| org.codehaus.plexus:[email protected] | False | 2.15.0 | https://github.com/codehaus-plexus/plexus-compiler | The given tag was not found in the repo | 404 |
| org.apache.maven:[email protected] | False | 3.8.5 | https://github.com/apache/maven | The given tag was not found in the repo | 404 |
| org.codehaus.plexus:[email protected] | False | 2.15.0 | https://github.com/codehaus-plexus/plexus-compiler | The given tag was not found in the repo | 404 |
| org.apache.maven:[email protected] | False | 3.8.5 | https://github.com/apache/maven | The given tag was not found in the repo | 404 |
| org.apache.httpcomponents:[email protected] | False | 4.4.16 | https://github.com/apache/httpcomponents-core | The given tag was not found in the repo | 404 |
| com.diffplug.durian:[email protected] | False | 1.2.0 | https://github.com/diffplug/durian | The given tag was not found in the repo | 404 |
| org.apache.sshd:[email protected] | False | 2.7.0 | https://github.com/apache/mina-sshd | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0-M12 | https://github.com/apache/maven-doxia | The given tag was not found in the repo | 404 |
| org.apache.maven.resolver:[email protected] | False | 1.9.18 | https://github.com/apache/maven-resolver | The given tag was not found in the repo | 404 |
| org.apache.maven:[email protected] | False | 3.8.5 | https://github.com/apache/maven | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0-M12 | https://github.com/apache/maven-doxia | The given tag was not found in the repo | 404 |
| com.mysema.querydsl:[email protected] | False | 3.7.4 | https://github.com/querydsl/querydsl | The given tag was not found in the repo | 404 |
| com.diffplug.spotless:[email protected] | False | 2.45.0 | https://github.com/diffplug/spotless | The given tag was not found in the repo | 404 |
| org.apache.maven.plugins:[email protected] | False | 3.1.1 | https://github.com/apache/maven-release | The given tag was not found in the repo | 404 |
| com.diffplug.spotless:[email protected] | False | 2.45.0 | https://github.com/diffplug/spotless | The given tag was not found in the repo | 404 |
| org.apache.maven:[email protected] | False | 3.8.5 | https://github.com/apache/maven | The given tag was not found in the repo | 404 |
| org.apache.sshd:[email protected] | False | 2.7.0 | https://github.com/apache/mina-sshd | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0-M19 | https://github.com/apache/maven-doxia-sitetools | The given tag was not found in the repo | 404 |
| org.apache.maven:[email protected] | False | 3.8.5 | https://github.com/apache/maven | The given tag was not found in the repo | 404 |
| org.jetbrains:[email protected] | False | 13.0 | https://github.com/jetbrains/intellij-community | The given tag was not found in the repo | 404 |
| dev.equo.ide:[email protected] | False | 1.7.5 | https://github.com/equodev/equo-ide | The given tag was not found in the repo | 404 |
| org.apache.maven.release:[email protected] | False | 3.1.1 | https://github.com/apache/maven-release | The given tag was not found in the repo | 404 |
| org.apache.maven:[email protected] | False | 3.8.5 | https://github.com/apache/maven | The given tag was not found in the repo | 404 |
| org.apache.maven.surefire:[email protected] | False | 3.5.1 | https://github.com/apache/maven-surefire | The given tag was not found in the repo | 404 |
| org.junit.platform:[email protected] | False | 1.11.2 | https://github.com/junit-team/junit5 | The given tag was not found in the repo | 404 |
| org.apache.maven.scm:[email protected] | False | 2.1.0 | https://github.com/apache/maven-scm | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0 | https://github.com/apache/maven-doxia | The given tag was not found in the repo | 404 |
| org.apache.maven.surefire:[email protected] | False | 3.5.1 | https://github.com/apache/maven-surefire | The given tag was not found in the repo | 404 |
| org.apache.maven.plugin-tools:[email protected] | False | 3.12.0 | https://github.com/apache/maven-plugin-tools | The given tag was not found in the repo | 404 |
| org.apache.maven.scm:[email protected] | False | 2.1.0 | https://github.com/apache/maven-scm | The given tag was not found in the repo | 404 |
| org.apache.maven.release:[email protected] | False | 3.1.1 | https://github.com/apache/maven-release | The given tag was not found in the repo | 404 |
| org.apache.maven.surefire:[email protected] | False | 3.5.1 | https://github.com/apache/maven-surefire | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0-M19 | https://github.com/apache/maven-doxia-sitetools | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0-M19 | https://github.com/apache/maven-doxia-sitetools | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0-M19 | https://github.com/apache/maven-doxia-sitetools | The given tag was not found in the repo | 404 |
| org.checkerframework:[email protected] | False | 3.43.0 | https://github.com/typetools/checker-framework | The given tag was not found in the repo | 404 |
| org.apache.maven.release:[email protected] | False | 3.1.1 | https://github.com/apache/maven-release | The given tag was not found in the repo | 404 |
| org.apache.maven.resolver:[email protected] | False | 1.6.3 | https://github.com/apache/maven-resolver | The given tag was not found in the repo | 404 |
| org.apache.maven.plugins:[email protected] | False | 3.5.1 | https://github.com/apache/maven-surefire | The given tag was not found in the repo | 404 |
| org.apache.maven:[email protected] | False | 3.8.5 | https://github.com/apache/maven | The given tag was not found in the repo | 404 |
| org.apache.maven:[email protected] | False | 3.6.0 | https://github.com/apache/maven | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0-M12 | https://github.com/apache/maven-doxia | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0-M12 | https://github.com/apache/maven-doxia | The given tag was not found in the repo | 404 |
| org.apache.maven.resolver:[email protected] | False | 1.4.1 | https://github.com/apache/maven-resolver | The given tag was not found in the repo | 404 |
| org.junit.platform:[email protected] | False | 1.11.2 | https://github.com/junit-team/junit5 | The given tag was not found in the repo | 404 |
| org.apache.maven.scm:[email protected] | False | 2.1.0 | https://github.com/apache/maven-scm | The given tag was not found in the repo | 404 |
| org.apache.maven.scm:[email protected] | False | 2.1.0 | https://github.com/apache/maven-scm | The given tag was not found in the repo | 404 |
| org.apache.httpcomponents:[email protected] | False | 4.5.14 | https://github.com/apache/httpcomponents-client | The given tag was not found in the repo | 404 |
| org.apache.sshd:[email protected] | False | 2.7.0 | https://github.com/apache/mina-sshd | The given tag was not found in the repo | 404 |
| org.apache.maven.surefire:[email protected] | False | 3.5.1 | https://github.com/apache/maven-surefire | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0-M12 | https://github.com/apache/maven-doxia | The given tag was not found in the repo | 404 |
| org.apache.maven.resolver:[email protected] | False | 1.6.3 | https://github.com/apache/maven-resolver | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0 | https://github.com/apache/maven-doxia | The given tag was not found in the repo | 404 |
| commons-codec:[email protected] | False | 1.16.1 | https://github.com/apache/commons-codec | The given tag was not found in the repo | 404 |
| org.apache.maven.surefire:[email protected] | False | 3.5.1 | https://github.com/apache/maven-surefire | The given tag was not found in the repo | 404 |
| org.apache.maven.plugin-tools:[email protected] | False | 3.6.4 | https://github.com/apache/maven-plugin-tools | The given tag was not found in the repo | 404 |
| org.apache.sshd:[email protected] | False | 2.7.0 | https://github.com/apache/mina-sshd | The given tag was not found in the repo | 404 |
| org.junit.platform:[email protected] | False | 1.11.2 | https://github.com/junit-team/junit5 | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0-M12 | https://github.com/apache/maven-doxia | The given tag was not found in the repo | 404 |
| org.codehaus.plexus:[email protected] | False | 1.2.0 | https://github.com/codehaus-plexus/plexus-languages | The given tag was not found in the repo | 404 |
| com.diffplug.spotless:[email protected] | False | 2.43.0 | https://github.com/diffplug/spotless | The given tag was not found in the repo | 404 |
| org.apache.maven.resolver:[email protected] | False | 1.6.3 | https://github.com/apache/maven-resolver | The given tag was not found in the repo | 404 |
| org.apache.maven:[email protected] | False | 3.8.5 | https://github.com/apache/maven | The given tag was not found in the repo | 404 |
| org.javassist:[email protected] | False | 3.28.0-GA | https://github.com/jboss-javassist/javassist | The given tag was not found in the repo | 404 |
| com.diffplug.durian:[email protected] | False | 1.2.0 | https://github.com/diffplug/durian | The given tag was not found in the repo | 404 |
| org.apache.maven.release:[email protected] | False | 3.1.1 | https://github.com/apache/maven-release | The given tag was not found in the repo | 404 |
| org.apache.maven.surefire:[email protected] | False | 3.5.1 | https://github.com/apache/maven-surefire | The given tag was not found in the repo | 404 |
| com.diffplug.durian:[email protected] | False | 1.2.0 | https://github.com/diffplug/durian | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0 | https://github.com/apache/maven-doxia | The given tag was not found in the repo | 404 |
| org.apache.maven.scm:[email protected] | False | 2.1.0 | https://github.com/apache/maven-scm | The given tag was not found in the repo | 404 |
| org.apache.maven.scm:[email protected] | False | 2.1.0 | https://github.com/apache/maven-scm | The given tag was not found in the repo | 404 |
| ch.qos.reload4j:[email protected] | False | 1.2.22 | https://github.com/qos-ch/reload4j | The given tag was not found in the repo | 404 |
| org.codehaus.plexus:[email protected] | False | 2.15.0 | https://github.com/codehaus-plexus/plexus-compiler | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0 | https://github.com/apache/maven-doxia | The given tag was not found in the repo | 404 |
List of packages from fork(2)
| package_name | deprecated_in_version | provenance_in_version | all_deprecated | github_url | github_exists | github_redirected | archived | is_fork | forked_from | open_issues_count | is_match | release_tag_exists | tag_version | tag_url | tag_related_info | status_code_for_release_tag |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| org.whitesource:[email protected] | https://github.com/whitesource/maven-dependency-tree-parser | True | False | False | True | https://github.com/adutra/maven-dependency-tree-parser | 0 | True | 1.0.6 | https://api.github.com/repos/whitesource/maven-dependency-tree-parser/git/ref/tags/maven-dependency-tree-parser-1.0.6 | Tag maven-dependency-tree-parser-1.0.6 is found in the repo | 200 | ||||
| com.github.cliftonlabs:[email protected] | https://github.com/cliftonlabs/json-simple | True | False | False | True | https://github.com/fangyidong/json-simple | 1 | True | 3.0.2 | https://api.github.com/repos/cliftonlabs/json-simple/git/ref/tags/json-simple-3.0.2 | Tag json-simple-3.0.2 is found in the repo | 200 |
👻What do I do now?
For packages without source code & accessible release tags: Pull Request to the maintainer of dependency, requesting correct repository metadata and proper tagging.
For deprecated packages:
1. Confirm the maintainer’s deprecation intention
2. Check for not deprecated versions
For packages without provenance:
Open an issue in the dependency’s repository to request the inclusion of provenance and build attestation in the CI/CD pipeline.
For packages that are forks
Inspect the package and its GitHub repository to verify the fork is not malicious.
Report created by dirty-waters.
Report created on 2024-11-21 14:51:10
- Tool version: 6119cfe3
- Project Name: INRIA/spoon
- Project Version: v11.1.1-beta-9
thanks @randomicecube updated themain Gist