Dependabot-core: dependabot should prefer 'scm > url' instead of just the 'url' otherwise uses wrong repo (link) in MR

Created on 12 Nov 2019  路  8Comments  路  Source: dependabot/dependabot-core

Hello,
thanks for dependabot. I noticed a small discrepancy in an automatic security fix for jackson-databind (CVE-2019-16942). Essentially it seems that dependabot assumes that https://github.com/FasterXML/jackson is the repo to search for changes, however in this case https://github.com/FasterXML/jackson-databind/ is the right one.

Notice the link that is being used for "jackson-databind" in https://github.com/git-commit-id/maven-git-commit-id-plugin/pull/451. Furthermore the "see full diff" link also links to the "wrong" repo.

Public URL:
https://github.com/git-commit-id/maven-git-commit-id-plugin/pull/451

language-support pull-requests Lmaven bug 馃悶
Source
picture TheSnoozer

All 8 comments

@TheSnoozer oh looks like this is coming from the published maven package so would have to be updated there. Would you wanna open an issue on their repo to update? 馃檹 Will close this out as we can't fix this on our side.

feelepxyz picture feelepxyz on 20 Nov 2019

Hi,
thanks for the feedback and response!

Just to clarify:
To fix this issue the URL in the pom (https://github.com/FasterXML/jackson-databind/blob/ed7d0a83b9bc9df1d95eb58a853760d780e7c450/pom.xml#L17) needs to be updated correct? (just want to rule out that dependabot uses some other URL...)

TheSnoozer picture TheSnoozer on 20 Nov 2019

@TheSnoozer oh actually, we probably want to use the scm > url if this exists which looks correct: https://github.com/FasterXML/jackson-databind/blob/ed7d0a83b9bc9df1d95eb58a853760d780e7c450/pom.xml#L23

Not seen this before so we're probably not aware of this field atm. Will look at updating this in Dependabot 馃憣

feelepxyz picture feelepxyz on 20 Nov 2019
👍1

@rebelagentm you up for looking at this? Think it should be pretty straight forward to change the place where we get the dependency repository for Maven packages to get the above scm > url if this is present.

feelepxyz picture feelepxyz on 20 Nov 2019

Hi thanks for your input :-)
Could you perhaps reopen this issue (I don't have permissions)?

I also rephrased the title of the issue, since it's now clearer what goes wrong here.

TheSnoozer picture TheSnoozer on 20 Nov 2019
👍1

@feelepxyz I can do that!

rebelagentm picture rebelagentm on 20 Nov 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions.

stale[bot] picture stale[bot] on 19 Jan 2020
  • comment to remove stale label :-)
TheSnoozer picture TheSnoozer on 19 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

kubawerlos picture kubawerlos  路  3Comments
jbreitbart picture jbreitbart  路  3Comments
tjwallace picture tjwallace  路  3Comments
glenn-jocher picture glenn-jocher  路  3Comments
kiprasmel picture kiprasmel  路  3Comments