Rule for verification of version in pom.xml

tiagoeck · March 1, 2023, 1:36pm

Due to deprecated versions in java dependencies this gives the possibility of verification of the existence of a version using xpath:

//dependency/artifactId[starts-with(text(),'mule-salesforce-connector')]//following-sibling::version[(starts-with(text(),'10.16.6'))]

on the following code:

<dependency>
   <groupId>com.mulesoft.connectors</groupId>
   <artifactId>mule-salesforce-connector</artifactId>
   <version>10.16.7</version>
   <classifier>mule-plugin</classifier>
</dependency>

Is there a way to check if the all versions below 10.16.7 are also present in the code? What I could find is that we could do the following:

//dependency/artifactId[starts-with(text(),'mule-salesforce-connector')]//following-sibling::version[not(starts-with(text(),'10.16.7'))]

Is then there a way of automated verification of what is the latest version on a given website https://www.anypoint.mulesoft.com/exchange/com.mulesoft.connectors/mule-salesforce-connector/ to adjust the rule accordingly?

Colin · March 2, 2023, 2:52pm

Hey there.

You shouldn’t need to write anything custom for this – there’s already a template rule to let you achieve this! S3417 - XML static code analysis: Track uses of disallowed dependencies

tiagoeck · March 2, 2023, 3:35pm

Hi,

Thank you for the information. Could you please be more specific on how is that supposed to work in an existing Self-Hosted version? Is that somehow automated in the existing rule set?

Kind regards,

Tiago

Colin · March 2, 2023, 3:37pm

Check out the documentation on rule templates

tiagoeck · March 2, 2023, 4:07pm

Colin,

Thank you for the documentation. Is there command line to verify the same?

Kind regards,

Tiago

Colin · March 6, 2023, 9:13am

Hey there.

I’m not sure what you mean by “command line” in this context.

tiagoeck · March 6, 2023, 11:07am

Hi,

I was checking the documentation, and I didn’t find nothing. Therefor I was wondering if there could be command line commands to adjust the verification of the version accordingly to what you have mentioned S3417. Let me know if I can clarify you further.

Regards,

Tiago

tiagoeck · March 8, 2023, 12:42pm

I was able to locate the mentioned rule at https://sonarqube.server.com/coding_rules?is_template=true&open=xml%3AS3417 that seems to have the need for customization. Is there the possibility to link that rule to a particular website where the values would be then updated accordingly?

Colin · March 8, 2023, 3:45pm

No, the configuration must be stored in SonarQube as a part of the Quality Profile.

It sounds like you might be interested in a more sophisticated SCA (Software Component Analysis) tool. SonarQube offers a few rules around this, but it’s not comprehensive.