question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Dependency Updates for internal Repositories not working for all repository managers

See original GitHub issue

Hi there,

I was waiting for the new DependencyTrack version 4.6 because it supports repository authentication for internal repositories, so that checking versions of internal components to be the latest will work for us.

So I configured our internal repository with authentication via frontend, uploaded a bom that uses an internal dependency and … no version update information is displayed 😦

After checking the logs and browsing the relevant code of dependency-track I was able to find the reason, that no version update is shown. It turns out that the dependency-track checks the version of a component against the <latest> information found in the maven-metadata.xml from the remote repository, as in the following lines of code:

https://github.com/DependencyTrack/dependency-track/blob/7878b039b7b61e5aa3b9a1af9ddab7de738f2925/src/main/java/org/dependencytrack/tasks/repositories/RepositoryMetaAnalyzerTask.java#L96-L111

The problem now is, that the maven-metadata.xml in our internal repository contains no <latest> information. I have then started some research about the maven metadata and those information and it seems like maven is not responsible for updating/setting the <latest> information in such maven-metadata.xml, except the deployed artifact is a maven plugin. I couldn’t find any “official” resources, but it was explained here (Nexus Repository) and here (stackoverflow). I can reproduce this situation in my local repository, where the <latest> information is contained in the maven-metadata-local.xml for maven plugin artifacts but not for other maven artifacts. So the <latest> information for non maven plugin artifacts seem to be updated by the repository manager and the one we use (gitlab) seems not to support this.

What gets updated for both, maven plugin artifacts and non maven plugin artifacts, is the <release> information in the maven-metadata.xml. Like said in the maven documentation the <latest> contains “the last version added to the directory, including both releases and snapshots”, whereas the <release> contains “the last version added to the directory, for the releases only”.

This said, wouldn’t it be better to compare a components version with the <release> instead of <latest> information in general? At least I would love to see a workaround for those repositories where the maven-metadata.xml does not contain <latest> but does contain <release> information.

Thanks in advance!

Issue Analytics

  • State:closed
  • Created a year ago
  • Comments:9 (4 by maintainers)

github_iconTop GitHub Comments

5reactions
msymonscommented, Nov 1, 2022

I have tested the fix of @syalioune in the latest 4.7 SNAPSHOT and things are now working great for me. In fact, better than great, I did not realise just how useful it would be to see “Latest Version” information for internal components until it was actually working!

So, from my perspective, this issue can be closed as “completed in 4.7”. As long as @sischi is happy.

2reactions
sischicommented, Nov 1, 2022

Thanks for your support @syalioune and @msymons! I have not tested it yet, but your implementation looks great, @syalioune.

Yes @msymons I’m very happy now 😊 so I will close this issue. Good job 👌

Read more comments on GitHub >

github_iconTop Results From Across the Web

Maven plugin dependencies couldn't resolve ... - Stack Overflow
It is trying to pull dependency from https://repo.maven.apache.org/maven2 instead of our internal Maven repository. I have configured ...
Read more >
Managing security and analysis settings for your organization
Dependency graph - Your changes affect only private repositories because the feature is always enabled for public repositories. Dependabot alerts - Your changes ......
Read more >
Introduction to Repositories - Apache Maven
A repository in Maven holds build artifacts and dependencies of varying types. There are exactly two types of repositories: local and remote:.
Read more >
Force maven to fetch dependencies from remote - Seralahthan
Maven doesn't fetch dependency updates (new version releases) Or reattempt to fetch dependencies cached in the local repository before the update interval.
Read more >
Getting Started with Maven Repository Management - DZone
Proxy Remote Repositories. When you proxy a remote repository, you repository manager accepts requests for artifacts from clients. If the artifact is not...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found