Dependency Updates for internal Repositories not working for all repository managers
See original GitHub issueHi there,
I was waiting for the new DependencyTrack version 4.6 because it supports repository authentication for internal repositories, so that checking versions of internal components to be the latest will work for us.
So I configured our internal repository with authentication via frontend, uploaded a bom that uses an internal dependency and … no version update information is displayed 😦
After checking the logs and browsing the relevant code of dependency-track I was able to find the reason, that no version update is shown. It turns out that the dependency-track checks the version of a component against the <latest>
information found in the maven-metadata.xml
from the remote repository, as in the following lines of code:
The problem now is, that the maven-metadata.xml
in our internal repository contains no <latest>
information. I have then started some research about the maven metadata and those information and it seems like maven is not responsible for updating/setting the <latest>
information in such maven-metadata.xml
, except the deployed artifact is a maven plugin. I couldn’t find any “official” resources, but it was explained here (Nexus Repository) and here (stackoverflow). I can reproduce this situation in my local repository, where the <latest>
information is contained in the maven-metadata-local.xml
for maven plugin artifacts but not for other maven artifacts. So the <latest>
information for non maven plugin artifacts seem to be updated by the repository manager and the one we use (gitlab) seems not to support this.
What gets updated for both, maven plugin artifacts and non maven plugin artifacts, is the <release>
information in the maven-metadata.xml
. Like said in the maven documentation the <latest>
contains “the last version added to the directory, including both releases and snapshots”, whereas the <release>
contains “the last version added to the directory, for the releases only”.
This said, wouldn’t it be better to compare a components version with the <release>
instead of <latest>
information in general? At least I would love to see a workaround for those repositories where the maven-metadata.xml
does not contain <latest>
but does contain <release>
information.
Thanks in advance!
Issue Analytics
- State:
- Created a year ago
- Comments:9 (4 by maintainers)
Top GitHub Comments
I have tested the fix of @syalioune in the latest 4.7 SNAPSHOT and things are now working great for me. In fact, better than great, I did not realise just how useful it would be to see “Latest Version” information for internal components until it was actually working!
So, from my perspective, this issue can be closed as “completed in 4.7”. As long as @sischi is happy.
Thanks for your support @syalioune and @msymons! I have not tested it yet, but your implementation looks great, @syalioune.
Yes @msymons I’m very happy now 😊 so I will close this issue. Good job 👌