potiuk commented on PR #12421: URL: https://github.com/apache/maven/pull/12421#issuecomment-4885918654
Thanks — that inventory is genuinely useful (and agreed, the 40-repos-instead-of-one situation is exactly what makes "what's in scope" harder than it should be). I'll add `maven-dependency-analyzer` to the shared-libraries block, and `maven-shared-io` alongside it flagged low-activity — you're right that it's probably-defunct-but-not-quite. On the long tail: I'd rather not grow the §2 table into a full census of all ~45 `maven-*` repos — its job is the active, security-relevant components (the things that execute code or sit on the release path), not an exhaustive repo list. The "what actually gets scanned" decision is the separate scan-scope call, and that's already pinned: Sylwester gave us a branch-level active set, and we filter to repos with a live OSSF criticality score. So the model reasons about the component *classes*; the scan runs against the confirmed active subset. If there's a specific repo in your list you think belongs in the *model* (beyond dependency-analyzer + shared-io), name it and I'll pull it in — I'll leave the dormant / site / infra ones out by default. — Jarek -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
