No tags in code repository for version released on Maven

PROJECT: org.sonarsource.sonarqube:sonar-plugin-api;
PROJECT_URL: GitHub - SonarSource/sonarqube: Continuous Inspection

There are no tags of commits for labeling the version in Maven

Dear Developers,

We are the software engineering research team from Zhejiang University, China.

We are now conducting work on automatically identifying the commit range of an untagged version.

In git-based software development, tagging the release commit with a version number is a common practice. However, we find that products are released in maven with version numbers but WITHOUT tags in their corresponding repository and such a scenario accounts for a large scale among those product versions with high-risk vulnerabilities (CVSS > 7). Therefore, we conduct this survey for figuring out the reasons why the traceabilities between releases in maven and the tags in the repository are missing.

Aligning software product releases to the commits in the code repository can help the software quality assurance team better maintain the corresponding version, especially for versions with high-risk vulnerabilities to be fixed as soon as possible.

However, it is not easy to map a release in Maven to the commit in the code repository if the corresponding tags in the code repository are missing.

Therefore, to help developers quickly and easily find the corresponding released commits for better maintaining specific versions, we develop a tool, named ContentAlignment, which identifies a few commits (as few as possible) for an untagged release in their code repository.

However, we have no idea about the truth commits for that release.

Considering you are the developers of sonarqube, we post the thread for help.

We will appreciate your time and valuable responses.

Here are the details of the questionnaire.

**PROJECT: [‘org.sonarsource.sonarqube:sonar-plugin-api’]; VERSION:; **

Q1: Why this software product version is released without tags in the code repository?
(a) Forget to tag, (b) This version has bugs, (c) Trouble to operate, (d) Unnecessary, (e) Other,___________________________

Q2: Have you ever encountered that the version on maven cannot find the tag of the corresponding version on github?
(a) Yes, (b) No, (c) Indetermination

Q3: How do you find the commit id of a product version?
(a) By tags, (b) Manually check, (c) With other tool,____________________________

Q4: How do you check out the code repository for an untagged product version when fixing their vulnerabilities?
(a) Manually check, (b) With other tool,____________________________

Q5: How long does it take you to locate the untagged version of commit?
(a) <10mins, (b) <30mins, (c) <1h, (d) 1h~12h, (e) >12h,

Here is the commits identified by our tool for this release:

[‘0c05b10747a60ac7a5eff6b8f7af9bf06c7e573d,’, ‘898a79cc7df01a9603c17f92b93e46ec62bc77d2,’, ‘28394f222603b43aadc132ec7e814bc6a5cd8edb,’, ‘93bf42f81310013436f2d5ef60b60d8714a32f5f’]

Question1: Is this the version that you released?
(a) Yes, (b) No, (c) Indetermination,

Question2: Do you know the truth commit where this version is released?
(a) No, (b) Yes, ___________________________________

Question3: What is the potential commit range for this released version? [Optional, if Question2 is No]
(a) _____________________________________________

Question4: How do you think ContetnAlignment performs?
(a) Great, (b) Good, Normal, Poor

Question5: Why can’t find the tag on Github?
(a) Github mismatch, (b) Forget to tag, (c) Has bug in development, (d) Trouble to operate, (e) Other,___________________________

Thank you very much again for your time!

If you have further questions, please let us know (,,

Yours Sincerely,

Chao Ni, Lingfeng Bao, Chengjie Chen
Zhejiang University