Orchestrator: Adding support for downloading artifacts without Jfrog

Good day, SonarSource Community!

As many of you are aware, since 24 January 24, community plugins can no longer make requests to JFrog via the Orchestrator library. This is due to anonymous access being disabled on JFrog: see SONAR-21476.

As of 2024-02-07T23:00:00Z, a fix has been introduced whereby users can now bypass JFrog entirely by doing the following:

  1. Upgrade Orchestrator version to
  2. Utilize OrchestratorBuilder#setOrchestratorProperty(...) to override the default orchestrator.artifactory.url to central maven (or any other maven repository)
  3. All should work after this

Please note: due to these changes, only the following aliases will work when attempting to download artifacts through Orchestrator:

  • LATEST_RELEASE for the latest release (in terms of version number, not date)
  • LATEST_RELEASE[x.y] for the latest release of a series, for example LATEST_RELEASE[5.2]
  • x.y.z for an exact release including build number

Please refer to the README.md for any other information.



Thanks for the update.

I’m not sure if I should open a new topic or not, but… Unfortunately, this isn’t working anymore because the version numbers are ordered using Comparator.naturalOrder(), which is not the correct way to order them:

As shown in the image below, this is the result after versions.sort:

As result, the getLatestVersion function will consistently return the latest 9.9.x version (currently instead of the latest 10.x release.


You are indeed correct. This is a bug and a ticket has been created to deal with it. In the meantime, I suggest using LATEST_RELEASE[10] as this will work.

Many thanks for the find! :raised_hands:


Hi there, @felipebz

The fix has been merged and released. Please use instead.


1 Like