🚧 Third party repository detection probe

core/pom.xml

@@ -102,5 +102,9 @@
 			<artifactId>postgresql</artifactId>
 			<scope>test</scope>
 		</dependency>
+		<dependency>
+			<groupId>org.apache.maven</groupId>
+			<artifactId>maven-model</artifactId>
+		</dependency>
 	</dependencies>
 </project>

core/src/main/java/io/jenkins/pluginhealth/scoring/probes/Probe.java

@@ -24,6 +24,7 @@
 
 package io.jenkins.pluginhealth.scoring.probes;
 
+import java.io.IOException;
 import java.time.ZonedDateTime;
 import java.util.Optional;
 
@@ -49,11 +50,15 @@ public abstract class Probe {
      * @return the result of the analyze in a {@link ProbeResult}
      */
     public final ProbeResult apply(Plugin plugin, ProbeContext context) {
-        if (shouldBeExecuted(plugin, context)) {
-            if (LOGGER.isTraceEnabled()) {
-                LOGGER.trace("Running {} on {}", this.key(), plugin.getName());
+        try {
+            if (shouldBeExecuted(plugin, context)) {
+                if (LOGGER.isTraceEnabled()) {
+                    LOGGER.trace("Running {} on {}", this.key(), plugin.getName());
+                }
+                return doApply(plugin, context);
             }
-            return doApply(plugin, context);
+        } catch (IOException e) {
+            LOGGER.error("File Reading exception {}", e);
         }
         return ProbeResult.error(key(), key() + " does not meet the criteria to be executed on " + plugin.getName());
     }
@@ -104,7 +109,7 @@ private boolean shouldBeExecuted(Plugin plugin, ProbeContext context) {
      * @param context holder of information passed across the probes executed on a single plugin
      * @return a ProbeResult representing the result of the analysis
      */
-    protected abstract ProbeResult doApply(Plugin plugin, ProbeContext context);
+    protected abstract ProbeResult doApply(Plugin plugin, ProbeContext context) throws IOException;
 
     /**
      * List of probe key to be present in the {@link Plugin#details} map and to be {@link ResultStatus#SUCCESS} in

core/src/main/java/io/jenkins/pluginhealth/scoring/probes/ThirdPartyRepositoryDetectionProbe.java

@@ -0,0 +1,111 @@
+package io.jenkins.pluginhealth.scoring.probes;
+
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.Reader;
+import java.net.URL;
+import java.util.HashSet;
+import java.util.Set;
+
+import io.jenkins.pluginhealth.scoring.model.Plugin;
+import io.jenkins.pluginhealth.scoring.model.ProbeResult;
+
+import org.apache.maven.model.Model;
+import org.apache.maven.model.Repository;
+import org.apache.maven.model.io.xpp3.MavenXpp3Reader;
+import org.codehaus.plexus.util.xml.pull.XmlPullParserException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.core.annotation.Order;
+import org.springframework.stereotype.Component;
+
+@Component
+@Order(value = ThirdPartyRepositoryDetectionProbe.ORDER)
+public class ThirdPartyRepositoryDetectionProbe extends Probe {
+    private static final Logger LOGGER = LoggerFactory.getLogger(ThirdPartyRepositoryDetectionProbe.class);
+    public static final int ORDER = SCMLinkValidationProbe.ORDER + 100;
+    public static final String KEY = "third-party-repository-detection-probe";
+    final String hostName = "https://repo.jenkins-ci.org";
+//    final String parentPom = "https://raw.githubusercontent.com/jenkinsci/plugin-pom/master/pom.xml";
+    final String parentPom = "https://github.com/jenkinsci/plugin-pom/blob/master/pom.xml";
+
+    @Override
+    protected ProbeResult doApply(Plugin plugin, ProbeContext context) {
+        MavenXpp3Reader mavenReader = new MavenXpp3Reader();
+        Set<Repository> allRepositories = new HashSet<>();
+
+        try {
+            InputStream inputStream = new FileInputStream(context.getScmRepository() + "/pom.xml");
+            Reader reader = new InputStreamReader(inputStream, "UTF-8");
+            Model model = mavenReader.read(reader);
+            allRepositories.addAll(model.getRepositories());
+            allRepositories.addAll(model.getPluginRepositories());
+
+            if (!model.getParent().getRelativePath().isBlank()) {
+                Model parentPomModel = parsePomFromUrl(model.getParent().getRelativePath());
+                allRepositories.addAll(parentPomModel.getRepositories());
+                allRepositories.addAll(parentPomModel.getPluginRepositories());
+            }
+            for (Repository repository : allRepositories) {
+                if (!repository.getUrl().startsWith(hostName)) {
+                    return ProbeResult.failure(KEY, "Third party repositories detected in the plugin");
+                }
+            }
+        } catch (FileNotFoundException e) {
+            LOGGER.error("File not found at {}", plugin.getName());
+            return ProbeResult.error(KEY, e.getMessage());
+        } catch (XmlPullParserException e) {
+            LOGGER.error("Pom file could not be parsed at {}", plugin.getName());
+            return ProbeResult.error(KEY, e.getMessage());
+        } catch (IOException e) {
+            LOGGER.error("File reading exception at {}", plugin.getName());
+            return ProbeResult.error(KEY, e.getMessage());
+
+        }
+        return allRepositories.size() > 0 ? ProbeResult.success(KEY, "The plugin has no third party repositories")
+            : ProbeResult.failure(KEY, "No repositories detected");
+    }
+
+    @Override
+    public String key() {
+        return KEY;
+    }
+
+    @Override
+    public String getDescription() {
+        return "Detects third-party repositories in a plugin.";
+    }
+
+    @Override
+    public String[] getProbeResultRequirement() {
+        return new String[] { SCMLinkValidationProbe.KEY};
+    }
+
+    public Model parsePomFromUrl(String pomUrl) {
+        Model model = null;
+
+        try {
+            if (pomUrl.startsWith(("https"))) {
+                URL url = new URL(pomUrl);
+                try (InputStream inputStream = url.openStream()) {
+                    MavenXpp3Reader mavenReader = new MavenXpp3Reader();
+                    model = mavenReader.read(inputStream);
+                }
+            }
+            else {
+                // for test cases
+                InputStream inputStream = new FileInputStream(pomUrl);
+                Reader reader = new InputStreamReader(inputStream, "UTF-8");
+                model = new MavenXpp3Reader().read(reader);
+            }
+        } catch (IOException e) {
+            LOGGER.error("File could not be found {}", e.getMessage());
+        } catch (XmlPullParserException e) {
+            LOGGER.error("Pom file could not be parsed {}", e.getMessage());
+        }
+        return model;
+    }
+}

core/src/test/java/io/jenkins/pluginhealth/scoring/probes/ThirdPartyRepositoryDetectionProbeTest.java

@@ -0,0 +1,152 @@
+package io.jenkins.pluginhealth.scoring.probes;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.params.provider.Arguments.arguments;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.util.Map;
+import java.util.stream.Stream;
+
+import io.jenkins.pluginhealth.scoring.model.Plugin;
+import io.jenkins.pluginhealth.scoring.model.ProbeResult;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
+
+class ThirdPartyRepositoryDetectionProbeTest extends AbstractProbeTest<ThirdPartyRepositoryDetectionProbe> {
+    @Override
+    ThirdPartyRepositoryDetectionProbe getSpy() {
+        return spy(ThirdPartyRepositoryDetectionProbe.class);
+    }
+
+    @Test
+    void shouldBeExecutedAfterSCMLinkValidationProbeProbe() {
+        final Plugin plugin = mock(Plugin.class);
+        final ProbeContext ctx = mock(ProbeContext.class);
+        final ThirdPartyRepositoryDetectionProbe probe = getSpy();
+        when(plugin.getName()).thenReturn("foo-bar");
+        assertThat(probe.apply(plugin, ctx))
+            .usingRecursiveComparison()
+            .comparingOnlyFields("id", "status")
+            .isEqualTo(ProbeResult.error(ThirdPartyRepositoryDetectionProbe.KEY, ""));
+        verify(probe, never()).doApply(plugin, ctx);
+    }
+
+    private static Stream<Arguments> successes() {
+        return Stream.of(
+            arguments(
+                Paths.get("src", "test", "resources", "pom-test-only-correct-path"),
+                "https://github.com/jenkinsci/test-plugin"
+            ),
+            arguments(
+                Paths.get("src", "test", "resources", "pom-test-parent-child-no-third-party-repository-success", "plugin"),
+                "https://github.com/jenkinsci/test-plugin"
+            )
+        );
+    }
+
+    @ParameterizedTest
+    @MethodSource("successes")
+    void shouldPassIfNoThirdPartyRepositoriesDetected(Path resourceDirectory, String scm) {
+        final Plugin plugin = mock(Plugin.class);
+        final ProbeContext ctx = mock(ProbeContext.class);
+
+        when(ctx.getScmRepository()).thenReturn(resourceDirectory);
+        when(plugin.getDetails()).thenReturn(Map.of(
+            SCMLinkValidationProbe.KEY, ProbeResult.success(SCMLinkValidationProbe.KEY, "")
+        ));
+        when(plugin.getScm()).thenReturn(scm);
+
+        final ThirdPartyRepositoryDetectionProbe probe = getSpy();
+        assertThat(probe.apply(plugin, ctx))
+            .usingRecursiveComparison()
+            .comparingOnlyFields("id", "message", "status")
+            .isEqualTo(ProbeResult.success(ThirdPartyRepositoryDetectionProbe.KEY, "The plugin has no third party repositories"));
+        verify(probe).doApply(any(Plugin.class), any(ProbeContext.class));
+    }
+
+    private static Stream<Arguments> failures() {
+        return Stream.of(
+            arguments(
+                Paths.get("src", "test", "resources", "pom-test-both-paths"),
+                "https://github.com/jenkinsci/test-plugin"
+            ),
+            arguments(
+                Paths.get("src", "test", "resources", "pom-test-only-incorrect-path"),
+                "https://github.com/jenkinsci/test-plugin"
+            ),
+            arguments(
+                Paths.get("src", "test", "resources", "pom-test-third-party-probe-in-parent-failure", "plugin"),
+                "https://github.com/jenkinsci/test-plugin/plugin"
+            ),
+            arguments(
+                Paths.get("src", "test", "resources", "pom-test-third-party-probe-in-child-failure", "plugin"),
+                "https://github.com/jenkinsci/test-plugin/plugin"
+            )
+        );
+    }
+
+    @ParameterizedTest
+    @MethodSource("failures")
+    void shouldFailIfThirdPartRepositoriesDetected(Path resourceDirectory, String scm) {
+        final Plugin plugin = mock(Plugin.class);
+        final ProbeContext ctx = mock(ProbeContext.class);
+
+        when(ctx.getScmRepository()).thenReturn(resourceDirectory);
+        when(plugin.getDetails()).thenReturn(Map.of(
+            SCMLinkValidationProbe.KEY, ProbeResult.success(SCMLinkValidationProbe.KEY, "")
+        ));
+        when(plugin.getScm()).thenReturn(scm);
+
+        final ThirdPartyRepositoryDetectionProbe probe = getSpy();
+        assertThat(probe.apply(plugin, ctx))
+            .usingRecursiveComparison()
+            .comparingOnlyFields("id", "message", "status")
+            .isEqualTo(ProbeResult.failure(ThirdPartyRepositoryDetectionProbe.KEY, "Third party repositories detected in the plugin"));
+        verify(probe).doApply(any(Plugin.class), any(ProbeContext.class));
+    }
+
+    private static Stream<Arguments> failures2() {
+        return Stream.of(
+            arguments(
+                Paths.get("src", "test", "resources", "pom-test-no-repository-tag"),
+                "https://github.com/jenkinsci/test-plugin"
+            ),
+            arguments(
+                Paths.get("src", "test", "resources", "pom-test-parent-child-no-repository-tag-failure", "plugin"),
+                "https://github.com/jenkinsci/test-plugin"
+            )
+        );
+    }
+
+    @ParameterizedTest
+    @MethodSource("failures2")
+    void shouldFailWhenNoRepositoriesDetected(Path resourceDirectory, String scm) {
+        final Plugin plugin = mock(Plugin.class);
+        final ProbeContext ctx = mock(ProbeContext.class);
+
+        when(ctx.getScmRepository()).thenReturn(resourceDirectory);
+        when(plugin.getDetails()).thenReturn(Map.of(
+            SCMLinkValidationProbe.KEY, ProbeResult.success(SCMLinkValidationProbe.KEY, "")
+        ));
+        when(plugin.getScm()).thenReturn(scm);
+
+        final ThirdPartyRepositoryDetectionProbe probe = getSpy();
+        assertThat(probe.apply(plugin, ctx))
+            .usingRecursiveComparison()
+            .comparingOnlyFields("id", "message", "status")
+            .isEqualTo(ProbeResult.failure(ThirdPartyRepositoryDetectionProbe.KEY, "No repositories detected"));
+        verify(probe).doApply(any(Plugin.class), any(ProbeContext.class));
+    }
+
+
+}

core/src/test/resources/pom-test-both-paths/pom.xml

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    This is a fake pom used for test cases
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.jenkins-ci.plugins</groupId>
+		<artifactId>plugin</artifactId>
+		<version>4.58</version>
+		<relativePath />
+	</parent>
+
+	<properties>
+		<changelist>9999-SNAPSHOT</changelist>
+		<jenkins.version>2.361.4</jenkins.version>
+	</properties>
+
+
+	<artifactId>not-a-real-publisher</artifactId>
+	<name>Fake Publisher</name>
+	<description>For testing purpose</description>
+	<version>${changelist}</version>
+	<packaging>hpi</packaging>
+	<url>https://test.com/test/${project.artifactId}-plugin</url>
+
+	<repositories>
+		<repository>
+			<id>repo.jenkins-ci.org</id>
+			<url>https://repo.jenkins-ci.org/public/</url>
+		</repository>
+		<repository>
+			<id>releases-repo.jenkins-ci.org</id>
+			<url>https://repo.jenkins-ci.org/releases/</url>
+		</repository>
+		<repository>
+			<id>atlassian-public</id>
+			<url>https://packages.atlassian.com/mvn/maven-external/</url>
+		</repository>
+	</repositories>
+
+	<pluginRepositories>
+		<pluginRepository>
+			<id>repo.jenkins-ci.org</id>
+			<url>https://repo.jenkins-ci.org/public/</url>
+		</pluginRepository>
+		<pluginRepository>
+			<id>repo.jenkins-ci.org</id>
+			<url>https://packages.atlassian.com/mvn/maven-external/</url>
+		</pluginRepository>
+	</pluginRepositories>
+</project>

core/src/test/resources/pom-test-no-repository-tag/pom.xml

@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    This is a fake pom used for test cases
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.jenkins-ci.plugins</groupId>
+		<artifactId>plugin</artifactId>
+		<version>4.58</version>
+		<relativePath />
+	</parent>
+
+	<properties>
+		<changelist>9999-SNAPSHOT</changelist>
+		<jenkins.version>2.361.4</jenkins.version>
+	</properties>
+
+
+	<artifactId>not-a-real-publisher</artifactId>
+	<name>Fake Publisher</name>
+	<description>For testing purpose</description>
+	<version>${changelist}</version>
+	<packaging>hpi</packaging>
+	<url>https://test.com/test/${project.artifactId}-plugin</url>
+
+</project>