Nexus Analyzer

167 views
Skip to first unread message

Henri Gomez

unread,
Oct 8, 2014, 7:36:41 AM10/8/14
to dependen...@googlegroups.com
Hi all,

We get in trouble some days ago being unable to fetch contents from repository.sonatype.org.
After some analysis, we discovered Sonatype blocked one of our IP.

We contacted Sonatype support and they confirmed our IP was was blocked due to excessive requests to https://repository.sonatype.org/service/local/identify/sha1

Problem appears in March 2014, and it seems at this time, DC by default tried to resolve artifacts using sha1 requests to repository.sonatype.org

Is it still the current situation ?

If so, I would highly suggest to disable it since DC users could be black listed and blocked from repository.sonatype.org, Nexus site also used to fetch regular artifacts

Regards

Steve Springett

unread,
Oct 8, 2014, 11:17:18 AM10/8/14
to dependen...@googlegroups.com
Henri,
By default, the CLI, Maven plugin and Ant task have the Nexus analyzer enabled by default. The Jenkins plugin has this analyzer disabled by default. A local Nexus server can also be specified so that you're no relying on Maven Central for results.

Will, 
Any thoughts on how to remediate this type of situation going forward?

--Steve

Jeremy Long

unread,
Oct 8, 2014, 1:29:28 PM10/8/14
to Steve Springett, dependen...@googlegroups.com

Likely need to cache results locally or disable the analyzer by default..  thoughts?

Jeremy

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Steve Springett

unread,
Oct 8, 2014, 2:21:02 PM10/8/14
to dependen...@googlegroups.com
Caching the results makes a lot of sense, especially if we can do so using the existing data directory, either in a database or text file.

colezlaw

unread,
Oct 9, 2014, 7:33:01 AM10/9/14
to dependen...@googlegroups.com
As Jeremy mentioned, if you've got an internal Nexus repository, you can configure that. In dependencycheck.properties, set analyzer.nexus.url to your internal Nexus repository.

We've talked about caching, and another possibility might be to not use Nexus if POM properties were identified.

I'll also work on the Maven Central search analyzer which will (hopefully) replace Sonatype as the default. You can continue to use Nexus internally, but the default global one would be to use the service API at search.maven.org.

Brian Fox

unread,
Oct 9, 2014, 1:26:21 PM10/9/14
to dependen...@googlegroups.com, st...@springett.us
Hi Jeremy, using our service to look up hashes is ok, we just didn't understand what the usage was all about. That said, it would be better if you could use search.maven.org instead for the lookups. The api is documented at http://search.maven.org/#api and a hash lookup would be like this:

you can also use wt=xml if you prefer that over json.

Now that we know what this usage is, we don't accidentally block anyone but let us know how we can help move you to the search instance.

Thanks,
Brian

William Stranathan

unread,
Oct 9, 2014, 1:50:21 PM10/9/14
to Brian Fox, dependen...@googlegroups.com, Steve Springett
Fantastic! Thanks to Sonatype for getting back to us on this!

Yes - I have plans to switch to solrsearch, but was reviewing the ToS this morning and was also afraid there we might hit the same velocity restrictions - but your email makes me feel a lot better about the transition.

Jeremy - I'll make the switch to solr a priority. 

--
You received this message because you are subscribed to a topic in the Google Groups "Dependency Check" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dependency-check/wBN17b0OOtA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dependency-che...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages