For the spotbugs plugin there are 2 poms published to Maven repository:
https://plugins.gradle.org/m2/com/github/spotbugs/com.github.spotbugs.gradle.plugin/5.0.9/com.github.spotbugs.gradle.plugin-5.0.9.pom
https://plugins.gradle.org/m2/com/github/spotbugs/snom/spotbugs-gradle-plugin/5.0.9/spotbugs-gradle-plugin-5.0.9.pom
For tools like dependabot it would be useful if the former contained the SCM information from the latter so that changelog can be obtained from GitHub. Is this something that can be fixed in the plugin code or is it a problem with the plugin portal?
It is up to the plugins build to configure the POMs.
If it only configures one of them with the information it is its decision and you should request the plugin project to add the information to the second POM too if this is necessary.
Thanks for the reply. I checked a bit more how this works and it seems that only one of the POMs can be fully configured by plugin author:
while the other is built by Maven Plugin Publishing Plugin
This might be related to publish using maven-publish resulting in shrinked pom.xml version · Issue #20142 · gradle/gradle · GitHub which is closed, but not yet included in stable Gradle release.
The code you linked to just adds the dependency from the marker artifact to the code artifact but doesn’t touch anything else, so any pom configuration should work fine.
The comments in the issue you linked to also say so. And the issue is just a documentation issue, so whether it is in a released version or not is pretty uninteresting.
Thanks for pointing me to “marker artifacts”, that helped me find out that my question is just a duplicate of How can I customize the pom of the Plugin Marker Artifacts