Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Dependency Updates for internal Repositories not working for all repository managers
See original GitHub issueHi there,
I was waiting for the new DependencyTrack version 4.6 because it supports repository authentication for internal repositories, so that checking versions of internal components to be the latest will work for us.
So I configured our internal repository with authentication via frontend, uploaded a bom that uses an internal dependency and … no version update information is displayed 😦
After checking the logs and browsing the relevant code of dependency-track I was able to find the reason, that no version update is shown. It turns out that the dependency-track checks the version of a component against the <latest> information found in the maven-metadata.xml from the remote repository, as in the following lines of code:
The problem now is, that the maven-metadata.xml in our internal repository contains no <latest> information. I have then started some research about the maven metadata and those information and it seems like maven is not responsible for updating/setting the <latest> information in such maven-metadata.xml, except the deployed artifact is a maven plugin. I couldn’t find any “official” resources, but it was explained here (Nexus Repository) and here (stackoverflow). I can reproduce this situation in my local repository, where the <latest> information is contained in the maven-metadata-local.xml for maven plugin artifacts but not for other maven artifacts. So the <latest> information for non maven plugin artifacts seem to be updated by the repository manager and the one we use (gitlab) seems not to support this.
What gets updated for both, maven plugin artifacts and non maven plugin artifacts, is the <release> information in the maven-metadata.xml. Like said in the maven documentation the <latest> contains “the last version added to the directory, including both releases and snapshots”, whereas the <release> contains “the last version added to the directory, for the releases only”.
This said, wouldn’t it be better to compare a components version with the <release> instead of <latest> information in general? At least I would love to see a workaround for those repositories where the maven-metadata.xml does not contain <latest> but does contain <release> information.
Thanks in advance!
Issue Analytics
- State:
- Created a year ago
- Comments:9 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I have tested the fix of @syalioune in the latest 4.7 SNAPSHOT and things are now working great for me. In fact, better than great, I did not realise just how useful it would be to see “Latest Version” information for internal components until it was actually working!
So, from my perspective, this issue can be closed as “completed in 4.7”. As long as @sischi is happy.
Thanks for your support @syalioune and @msymons! I have not tested it yet, but your implementation looks great, @syalioune.
Yes @msymons I’m very happy now 😊 so I will close this issue. Good job 👌