Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

central analyzer doesn't use our mirror, and maven central is often overloaded

See original GitHub issue

We have configured the OWASP dependency check to run as part of our build process with maven, but it often fails the build due to not being able to contact maven central.

It seems to contact maven central even if we have our own nexus server configured in a <repositories> block in the pom file.

The relevant part of the log is:

[ERROR] Could not connect to Central search. Analysis failed.
java.io.IOException: Finally failed connecting to Central search. Giving up after 5 tries.
    at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts (CentralAnalyzer.java:288)
    at org.owasp.dependencycheck.analyzer.CentralAnalyzer.analyzeDependency (CentralAnalyzer.java:198)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:136)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run (FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:624)
    at java.lang.Thread.run (Thread.java:748)
Caused by: java.io.IOException: Could not connect to MavenCentral (503): Service Unavailable: Back-end server is at capacity
    at org.owasp.dependencycheck.data.central.CentralSearch.searchSha1 (CentralSearch.java:194)
    at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts (CentralAnalyzer.java:266)
    at org.owasp.dependencycheck.analyzer.CentralAnalyzer.analyzeDependency (CentralAnalyzer.java:198)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:136)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run (FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:624)
    at java.lang.Thread.run (Thread.java:748)

Issue Analytics

State:
Created 5 years ago
Reactions:7
Comments:21 (11 by maintainers)

Top GitHub Comments

1reaction

aikebahcommented, May 11, 2018

@jeremylong Have you recently looked into Artifactory’s useability from DepCheck? If not I’m offering to take a look. Their issue-tracker indicates that hash-search for artifacts is implemented in their REST API since end of 2010 (https://www.jfrog.com/jira/browse/RTFACT-3676).

1reaction

papidalcommented, May 11, 2018

Thank you, it would be very interesting to integrate with artifactory (we use it as internal repository) If you see another service similar to maven central, please, let me know