potiuk commented on PR #12421:
URL: https://github.com/apache/maven/pull/12421#issuecomment-4885918654

   Thanks — that inventory is genuinely useful (and agreed, the 
40-repos-instead-of-one situation is exactly what makes "what's in scope" 
harder than it should be).
   
   I'll add `maven-dependency-analyzer` to the shared-libraries block, and 
`maven-shared-io` alongside it flagged low-activity — you're right that it's 
probably-defunct-but-not-quite.
   
   On the long tail: I'd rather not grow the §2 table into a full census of all 
~45 `maven-*` repos — its job is the active, security-relevant components (the 
things that execute code or sit on the release path), not an exhaustive repo 
list. The "what actually gets scanned" decision is the separate scan-scope 
call, and that's already pinned: Sylwester gave us a branch-level active set, 
and we filter to repos with a live OSSF criticality score. So the model reasons 
about the component *classes*; the scan runs against the confirmed active 
subset.
   
   If there's a specific repo in your list you think belongs in the *model* 
(beyond dependency-analyzer + shared-io), name it and I'll pull it in — I'll 
leave the dormant / site / infra ones out by default.
   
   — Jarek
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to