Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

regression: dependency-check-maven does not take dependencies' repositories into account anymore

See original GitHub issue

I upgraded the maven plugin from 6.2.2 to 6.3.1 and now I’m getting this error during the execution of the check goal:

Caused by: org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions occurred during analysis:
	ArtifactResolverException: Could not find artifact com.github.graphstream:gs-ui-swing:jar:2.0 in central (https://repo.maven.apache.org/maven2)
		caused by ArtifactResolutionException: Could not find artifact com.github.graphstream:gs-ui-swing:jar:2.0 in central (https://repo.maven.apache.org/maven2)
		caused by ArtifactNotFoundException: Could not find artifact com.github.graphstream:gs-ui-swing:jar:2.0 in central (https://repo.maven.apache.org/maven2)
	ArtifactResolverException: Could not find artifact com.github.graphstream:gs-core:jar:2.0 in central (https://repo.maven.apache.org/maven2)
		caused by ArtifactResolutionException: Could not find artifact com.github.graphstream:gs-core:jar:2.0 in central (https://repo.maven.apache.org/maven2)
		caused by ArtifactNotFoundException: Could not find artifact com.github.graphstream:gs-core:jar:2.0 in central (https://repo.maven.apache.org/maven2)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.collectMavenDependencies (BaseDependencyCheckMojo.java:1320)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.collectDependencies (BaseDependencyCheckMojo.java:1437)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.scanArtifacts (BaseDependencyCheckMojo.java:1098)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.scanArtifacts (BaseDependencyCheckMojo.java:1064)
    at org.owasp.dependencycheck.maven.CheckMojo.scanDependencies (CheckMojo.java:104)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.runCheck (BaseDependencyCheckMojo.java:1689)
    at org.owasp.dependencycheck.maven.BaseDependencyCheckMojo.execute (BaseDependencyCheckMojo.java:950)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
...

What is particular with this dependency is that it is downloaded from a repository that is declared in the pom of one of my project’s dependency:

  • my project -> another project -> gs-core
  • with “another project” declaring a repository in its pom where gs-core can be found

Also note that executing the check goal directly on “another project” works as expected.

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:9 (1 by maintainers)

github_iconTop GitHub Comments

1reaction
jeremylongcommented, Sep 7, 2021

@aikebah thanks for the research and PR! I’ll try to push a new release soon!

1reaction
aikebahcommented, Sep 4, 2021

@jeremylong Running a final testrun on a working patch… no need for an interim-fix PR expected to follow soon

Read more comments on GitHub >

github_iconTop Results From Across the Web

dependency-check-maven – Usage
The dependency-check plugin is, by default, tied to the verify or site phase depending on if it is configured as a build or...
Read more >
Upgrading your build from Gradle 6.x to the latest
Plugins built with Gradle 7.0 will now have Groovy 3 on their classpath when using gradleApi() or localGroovy() . If you use Spock...
Read more >
Release Notes – Maven 3.6.3
This is a regression release to fix some critical issues shipped with 3.6.2. Some license issues on binary distribution have been fixed. This...
Read more >
sbt Reference Manual — Combined Pages
There are not that many concepts, but sbt is not exactly like other build ... just have to add the repository to the...
Read more >
JUnit 5 User Guide
On Java 8 through Java 15, @BeforeAll and @AfterAll methods cannot be used directly in a @Nested test class unless the "per-class" test...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Format Json report not compatible with gitlab-ci security dashboard, vulnerability report

Next page

Please provide a "owasp/dependency-check-daily" docker image with full database