Using the source version metric - ICTU/quality-time GitHub Wiki
For all tools in your stack you want to validate if you are running the latest version.
While Quality-time is able to retrieve the current version of sources, it cannot determine if it is the latest. The user should manually set the target (latest version of the software). Most teams choose to ignore patch releases, e.g. the team does not want to be notified through Quality-time whenever there is a patch release available.
set the metric target to MAJOR.MINOR So if the latest version of the software is 2.16.1 set it to 2.16
set the metric near target to MAJOR So in our example this would be 2
Because the configuration needs to be done manually, it is advised to set a reminder (this can be the calendar date metric) and put the following in the comment field (that can be found in the technical debt tab of the metric).
<a href="https://github.com/[repository]/[projectname]/releases#:~:text=latest" target="_blank">Find the most recent version</a>
Go to the respective repository of the tool (for instance on GitHub) and change the above URL maintaining the part after the #
Below is a list of suggested comments for commonly used sources (tools)
| Tool | Comment |
|---|---|
| OWASP dependency-check |
<div><a href="https://github.com/dependency-check/DependencyCheck/releases#:~:text=latest" target="_blank">Find the most recent version</a><p>Patch versions are ignored. Yellow = minor update, Red = major update.</p></div>
|
| Deque axe core See also Using Axe Core as a source |
<div><a href="https://github.com/dequelabs/axe-core/releases#:~:text=latest" target="_blank">Find the most recent version</a><p>Patch versions are ignored. Yellow = minor update, Red = major update.</p></div>
|
| OWASP ZAP Zed Attack Proxy |
<div> <a href="https://github.com/zaproxy/zaproxy/releases#:~:text=latest" target="_blank">Find the most recent version</a> <p>Patch versions are ignored. Yellow = minor update, Red = major update.</p></div>
|
| Dependency-Track |
<div> <a href="https://github.com/DependencyTrack/dependency-track/releases#:~:text=latest" target="_blank">Find the most recent version</a> <p>Patch versions are ignored. Yellow = minor update, Red = major update.</p></div>
|
| SonarQube |
<div> <a href="https://github.com/SonarSource/sonarqube/releases#:~:text=latest" target="_blank">Find the most recent version</a> <p>Patch versions are ignored. Yellow = minor update, Red = major update.</p></div>
|