[jira] [Commented] (KNOX-1721) Upgrade dependency-check-maven to 4.0.2

Wed, 02 Jan 2019 13:34:25 -0800 


    [ 
https://issues.apache.org/jira/browse/KNOX-1721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16732447#comment-16732447
 ] 

Kevin Risden commented on KNOX-1721:
------------------------------------

So I got the same failures locally. commonj.sdo is only in jboss-public Maven 
repository or http://maven.geomajas.org/ according to 
https://mvnrepository.com/artifact/commonj.sdo/commonj.sdo/2.1.1. The 
shibboleth failures are due to missing the shibboleth repository 
https://build.shibboleth.net/nexus/content/groups/public. It looks like the 
owasp dependency plugin doesn't pick up transitive repositories defined for 
dependencies. pac4j-saml defines the shibboleth repository.

I was able to get owasp to run successfully after putting the following in the 
top level pom:

{code:java}
    <repositories>
        <repository>
            <id>jboss-puplic</id>
            
<url>https://repository.jboss.org/nexus/content/repositories/public</url>
            <snapshots>
                <enabled>false</enabled>
            </snapshots>
            <releases>
                <enabled>true</enabled>
            </releases>
        </repository>
        <repository>
            <id>shib-release</id>
            <url>https://build.shibboleth.net/nexus/content/groups/public</url>
            <snapshots>
                <enabled>false</enabled>
            </snapshots>
            <releases>
                <enabled>true</enabled>
            </releases>
        </repository>
    </repositories>
{code}

I think my Jenkins Nexus repo proxies those two repositories anyway and that is 
why I haven't seen this before.

Adding the shibboleth repository seems correct since that is the canonical 
source for those dependencies (they aren't on maven central). For commonj.sdo, 
I don't know where that is coming from off the top of my head. That it isn't in 
maven central and some random repository is hosting it seems weird.

> Upgrade dependency-check-maven to 4.0.2
> ---------------------------------------
>
>                 Key: KNOX-1721
>                 URL: https://issues.apache.org/jira/browse/KNOX-1721
>             Project: Apache Knox
>          Issue Type: Sub-task
>          Components: Build
>            Reporter: Kevin Risden
>            Assignee: Kevin Risden
>            Priority: Trivial
>             Fix For: 1.3.0
>
>         Attachments: KNOX-1721.patch
>
>
> Upgrade dependency-check-maven 4.0.1 to 4.0.2



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to