Unable to disable nexus analyzer

[bezda]

I have this configuration for maven plugin

<plugin>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-maven</artifactId>
    <version>1.3.0</version>
    <configuration>
        <cveUrl12Modified>${cvecache.url.base}/nvdcve-Modified.xml.gz</cveUrl12Modified>
        <cveUrl20Modified>${cvecache.url.base}/nvdcve-2.0-Modified.xml.gz</cveUrl20Modified>
        <cveUrl12Base>${cvecache.url.base}/nvdcve-%d.xml.gz</cveUrl12Base>
        <cveUrl20Base>${cvecache.url.base}/nvdcve-2.0-%d.xml.gz</cveUrl20Base>
        <dataDirectory>/tmp/owaspdb</dataDirectory>
        <centralAnalyzerEnabled>false</centralAnalyzerEnabled>
        <nexusAnalyzerEnabled>false</nexusAnalyzerEnabled>
        <nexusUrl>http://nonexist/</nexusUrl>
        <nexusUsesProxy>false</nexusUsesProxy>
    </configuration>
    <executions>
        <execution>
            <phase>validate</phase>
            <goals>
                <goal>check</goal>
            </goals>
        </execution>
    </executions>
</plugin>

but when I run mvn dependency-check:check, the plugin is still trying to connect to nexus repository

8032 [INFO] org.apache.maven.cli.event.ExecutionEventLogger - --- dependency-check-maven:1.3.0:check (default-cli) @ web-common ---
29881 [INFO] org.owasp.dependencycheck.analyzer.CentralAnalyzer - Central analyzer disabled
29983 [INFO] org.apache.maven.artifact.repository.metadata.DefaultRepositoryMetadataManager - artifact org.joda:joda-convert: checking for updates from nexus
30493 [INFO] org.apache.maven.artifact.repository.metadata.DefaultRepositoryMetadataManager - artifact org.scala-lang:scala-reflect: checking for updates from nexus
35826 [INFO] org.apache.maven.artifact.repository.metadata.DefaultRepositoryMetadataManager - artifact com.gumtree.web:common: checking for updates from nexus

[jeremylong]

This is not actually the NexusAnalyzer. This is core Maven functionality.
When I ran a test case I got:

[INFO] artifact org.apache.tomcat:tomcat-juli: checking for updates from
central

I do not have any internal repositories setup, I am assuming you have an
internal Nexus server configured in your pom or settings.xml. Note, I ran
the test twice back to back with identical commands - the info indicating
'checking for updates' only occurred on the first call.

--Jeremy

On Fri, Aug 28, 2015 at 10:18 AM, Tomas Bezdek [email protected]
wrote:

I Have this configuration for maven plugin

org.owasp dependency-check-maven 1.3.0 ${cvecache.url.base}/nvdcve-Modified.xml.gz ${cvecache.url.base}/nvdcve-2.0-Modified.xml.gz ${cvecache.url.base}/nvdcve-%d.xml.gz ${cvecache.url.base}/nvdcve-2.0-%d.xml.gz /tmp/owaspdb false false http://nonexist/ false validate check

but when I run mvn dependency-check:check, the plugin is still trying to
connect to nexus repository

8032 [INFO] org.apache.maven.cli.event.ExecutionEventLogger - --- dependency-check-maven:1.3.0:check (default-cli) @ web-common ---
29881 [INFO] org.owasp.dependencycheck.analyzer.CentralAnalyzer - Central analyzer disabled
29983 [INFO] org.apache.maven.artifact.repository.metadata.DefaultRepositoryMetadataManager - artifact org.joda:joda-convert: checking for updates from nexus
30493 [INFO] org.apache.maven.artifact.repository.metadata.DefaultRepositoryMetadataManager - artifact org.scala-lang:scala-reflect: checking for updates from nexus
35826 [INFO] org.apache.maven.artifact.repository.metadata.DefaultRepositoryMetadataManager - artifact com.gumtree.web:common: checking for updates from nexus

—
Reply to this email directly or view it on GitHub
#327.

[bezda]

Hi Jeremy,

maven skips it for the second sime because it stores metadata in resolver-status.properties- nexus.maven-metadata-nexus.xml.lastUpdated=...

but you're correct, it's not from NexusAnalyzer, it's from BaseDependencyCheckMojo, I just don't see any way to disable it

 [INFO] org.owasp.dependencycheck.analyzer.CentralAnalyzer - Central analyzer disabled
 [DEBUG] org.owasp.dependencycheck.analyzer.NexusAnalyzer - Nexus analyzer disabled, using Central instead
 [DEBUG] org.owasp.dependencycheck.maven.CheckMojo - Adding project reference Gumtree Common on dependency slf4j-api-1.6.6.jar
 [DEBUG] org.apache.maven.repository.legacy.DefaultUpdateCheckManager - Determining update check for artifact org.slf4j:slf4j-api (/home/tbezdek/.m2/repository/org/slf4j/slf4j-api/maven-metadata-nexus.xml) from nexus (http://nexus.ci.gumtree.com/nexus/content/groups/public/)
 [DEBUG] org.apache.maven.repository.legacy.DefaultUpdateCheckManager - Searching for nexus.maven-metadata-nexus.xml.lastUpdated in resolution tracking file.
 [DEBUG] org.apache.maven.repository.legacy.DefaultUpdateCheckManager - Reading resolution-state from: /home/tbezdek/.m2/repository/org/slf4j/slf4j-api/resolver-status.properties
 [DEBUG] org.owasp.dependencycheck.maven.Engine - Checking root project, gumtree, if updates have already been completed
 [DEBUG] org.owasp.dependencycheck.Engine - 
----------------------------------------------------
BEGIN ANALYSIS
----------------------------------------------------
 [INFO] org.owasp.dependencycheck.Engine - Analysis Starting
 [DEBUG] org.owasp.dependencycheck.Engine - Initializing Archive Analyzer

[jeremylong]

Is there a need to disable this check? This call is just base Maven
functionality; the features we have the disable arguments for are things
that dependency-check does that is not part of the core Maven
functionality. The thought being if you are already using Maven these
(types of) calls are already happening and I did not see a need to be able
to disable them.

--Jeremy

On Tue, Sep 1, 2015 at 6:00 AM, Tomas Bezdek [email protected]
wrote:

Hi Jeremy,

maven skips it for the second sime because it stores metadata in
resolver-status.properties- nexus.maven-metadata-nexus.xml.lastUpdated=...

but you're correct, it's not from NexusAnalyzer, it's from
BaseDependencyCheckMojo, I just don't see any way to disable it

[INFO] org.owasp.dependencycheck.analyzer.CentralAnalyzer - Central analyzer disabled
[DEBUG] org.owasp.dependencycheck.analyzer.NexusAnalyzer - Nexus analyzer disabled, using Central instead
[DEBUG] org.owasp.dependencycheck.maven.CheckMojo - Adding project reference Gumtree Common on dependency slf4j-api-1.6.6.jar
[DEBUG] org.apache.maven.repository.legacy.DefaultUpdateCheckManager - Determining update check for artifact org.slf4j:slf4j-api (/home/tbezdek/.m2/repository/org/slf4j/slf4j-api/maven-metadata-nexus.xml) from nexus (http://nexus.ci.gumtree.com/nexus/content/groups/public/)
[DEBUG] org.apache.maven.repository.legacy.DefaultUpdateCheckManager - Searching for nexus.maven-metadata-nexus.xml.lastUpdated in resolution tracking file.
[DEBUG] org.apache.maven.repository.legacy.DefaultUpdateCheckManager - Reading resolution-state from: /home/tbezdek/.m2/repository/org/slf4j/slf4j-api/resolver-status.properties
[DEBUG] org.owasp.dependencycheck.maven.Engine - Checking root project, gumtree, if updates have already been completed

[DEBUG] org.owasp.dependencycheck.Engine -

BEGIN ANALYSIS

[INFO] org.owasp.dependencycheck.Engine - Analysis Starting
[DEBUG] org.owasp.dependencycheck.Engine - Initializing Archive Analyzer

—
Reply to this email directly or view it on GitHub
#327 (comment)
.

[bezda]

CheckMojo is explicitly calling
final List<ArtifactVersion> versions = metadataSource.retrieveAvailableVersions(a, localRepository, remoteRepositories);
for each artifact. To me this seems like functionality of Versions Maven Plugin. The base maven functionality is imho trying to check new versions only for SNAPSHOT artifacts.
I think that owasp dependency check should just try to analyze dependencies defined id pom, or is there any other need to check if newer version of artifact exists?

[jeremylong]

This was an attempt at resolving issue #22. As I don't have a good solution for the other interfaces (ant, cli, etc.) I have commented the code that checks for the versions in the 1.3.1-SNAPSHOT.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.