Introducing sonar-alloweddependencies-plugin

Around a year ago I published part 2 of this series, providing an approach for restricting the dependencies which could be downloaded through a Nexus repository server.

One struggle that became obvious when trying to implement this approach at scale is that you are required to approve all the transitive dependencies down the chain too. NPM projects especially become unreasonable to maintain quickly. As an example one of my pretty basic Homebridge plugins has a total of 15 dependencies between dependencies and devDependencies - after deduplication the dependency tree has more than 800 items. That is not maintainable through Nexus content selectors.

A different approach, which does not prevent downloading, is to integrate checks into the code quality analysis performed by SonarQube. There are no rules built in to do this though, so a custom plugin was required.

The Plugin

I have created an initial implementation of a plugin which provides this functionality: sonar-alloweddependencies-plugin.

This exposes a number of new rules, detailed in the project readme, and is only concerned with dependencies which are referenced in the project directly. It performs no checks against transitive dependencies. This supports both Maven pom.xml and NPM package.json dependency descriptors, and supports providing different dependency lists for different scopes (e.g. test and main).

Once a rule is enabled and configured with an approved list of dependencies, this will create issues if a dependency is used that is not in the allowed list.

Example Maven Violations Example NPM Violations


Releases of this are published to GitHub Packages only at this point, so are accessible from the GitHub project page. I have not yet went through the validation process to get setup for Maven Central. Note that there are published versions for both snapshots and main releases.


If you hit any issues, have suggested improvements, or even want to contribute then please raise an issue on the GitHub page. I still have some changes I want to make to this, but the latest non-snapshot release is usable.