Third party repository detection

[alecharp]

Description

Some plugins are using third party repositories to resolve dependencies.
Being able to detect those could be of interest for the infra team.

Idea from @lemeurherve and @dduportal

[dduportal]

For instance:

• Problem in finding an artifact from a third-party artfactory (jfrog) helpdesk#3501
• Maven central packages not found on build agent helpdesk#3434

[DanielS01ss]

Hi!
I would love to work on this issue

[Jagrutiti]

Hi everyone,

If a <url> in pom.xml does not start with https://repo.jenkins-ci.org/ui/packages, does that mean it is a third-party package?

Should this be my approach to detect a third-party package?

[alecharp]

@DanielS01ss I'm sorry, but as part of the GSoC project, it would be better if you could find another issue to work one. Those without the project GSoC 2023 are up for grab.

@Jagrutiti no really. This because you are project.url which should point to the plugin repository (or somewhere in the repository) for the plugin documentation migration. But you have project.repositories which should be a list of 1 or more elements. What we want is to detect if a plugin is using a repository which is not https://repo.jenkins-ci.org/public.

Please see https://maven.apache.org/guides/introduction/introduction-to-repositories.html and sub-documentation to have more details.

The problem is not third-party packages. The problem is getting those packages from a place we (Jenkins community) have no knowledge about.

Note: please reuse what exists to parse the pom.xml, aka use a library to read the POM file.

[alecharp]

After discussing with @lemeurherve, we need to track everything that is downloaded outside of repo.jenkins-ci.org. This also includes pluginRepositories.

[Jagrutiti]

To continue the work further, learning more about effective-pom and how to run maven from java could prove helpful.

[AayushSaini101]

@alecharp Please add GSOC label