Nexus Analyzer

Skip to first unread message

Henri Gomez

Oct 8, 2014, 7:36:41 AM10/8/14
Hi all,

We get in trouble some days ago being unable to fetch contents from
After some analysis, we discovered Sonatype blocked one of our IP.

We contacted Sonatype support and they confirmed our IP was was blocked due to excessive requests to

Problem appears in March 2014, and it seems at this time, DC by default tried to resolve artifacts using sha1 requests to

Is it still the current situation ?

If so, I would highly suggest to disable it since DC users could be black listed and blocked from, Nexus site also used to fetch regular artifacts


Steve Springett

Oct 8, 2014, 11:17:18 AM10/8/14
By default, the CLI, Maven plugin and Ant task have the Nexus analyzer enabled by default. The Jenkins plugin has this analyzer disabled by default. A local Nexus server can also be specified so that you're no relying on Maven Central for results.

Any thoughts on how to remediate this type of situation going forward?


Jeremy Long

Oct 8, 2014, 1:29:28 PM10/8/14
to Steve Springett,

Likely need to cache results locally or disable the analyzer by default..  thoughts?


You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
For more options, visit

Steve Springett

Oct 8, 2014, 2:21:02 PM10/8/14
Caching the results makes a lot of sense, especially if we can do so using the existing data directory, either in a database or text file.


Oct 9, 2014, 7:33:01 AM10/9/14
As Jeremy mentioned, if you've got an internal Nexus repository, you can configure that. In, set to your internal Nexus repository.

We've talked about caching, and another possibility might be to not use Nexus if POM properties were identified.

I'll also work on the Maven Central search analyzer which will (hopefully) replace Sonatype as the default. You can continue to use Nexus internally, but the default global one would be to use the service API at

Brian Fox

Oct 9, 2014, 1:26:21 PM10/9/14
Hi Jeremy, using our service to look up hashes is ok, we just didn't understand what the usage was all about. That said, it would be better if you could use instead for the lookups. The api is documented at and a hash lookup would be like this:

you can also use wt=xml if you prefer that over json.

Now that we know what this usage is, we don't accidentally block anyone but let us know how we can help move you to the search instance.


William Stranathan

Oct 9, 2014, 1:50:21 PM10/9/14
to Brian Fox,, Steve Springett
Fantastic! Thanks to Sonatype for getting back to us on this!

Yes - I have plans to switch to solrsearch, but was reviewing the ToS this morning and was also afraid there we might hit the same velocity restrictions - but your email makes me feel a lot better about the transition.

Jeremy - I'll make the switch to solr a priority. 

You received this message because you are subscribed to a topic in the Google Groups "Dependency Check" group.
To unsubscribe from this topic, visit
To unsubscribe from this group and all its topics, send an email to
Reply all
Reply to author
0 new messages