Unexpected version release lifecycle and provider (20250107.0.0.redhat-00001)

[ron190]

Hi,

Artifact like 20250107.0.0.redhat-00001 have been released recently, and following this release dependabot has also created an automatic PR.

Here's an example of those redhat versions pushed by dependabot for several groupId:artifactId : https://github.com/ron190/jsql-injection/pulls?q=is%3Apr+is%3Aopen+redhat

We can see those json artifacts also on mavenrepo: https://mvnrepository.com/artifact/org.json/json?repo=redhat-ga

As we are hearing about supply chain issues since some times :

• Should we care for any version released other than the version coming from Central provider ?

• Do you know these dozen other providers origins ? are there any legitimacy consideration to have regarding those other providers ?

[johnjaylward]

I would assume that it would be project dependent. Some projects may want "Redhat releases" while others may not. You should be able to configure dependabot to ignore certain sources. If not, I would open a bug report with dependabot to address the problem. It seems reasonable to me that you should be able to specify the exact repositories that are relevant.

The main issue I see from the dependabot documentation is that it appears the bot does not run maven or gradle in order to calculate actual dependencies, but instead just keeps a list of available packages and versions and makes pom replacements.

[ron190]

Yes, maybe some filtering like versions-ignore to add to dependabot yml, though it seems kind of insecure to have to specify a source origin or to maintain a custom filter on the client side.

Also when we refer to coordinate org.json:json until now I was guessing that we always implicitly meant the official one by default, released by the credited project and author, and not by any forks like Gael or Immopoly. Shouldn't they use another coordinates than yours ?

I was not even aware that mvn coordinates could be shared by multiple authors, which makes me wonder what's the way to identify the official artifact's owner ? Is it the convention that Central owner is the official provider and everything else possibly an unapproved insecure fork ?