Hi, All, I am working in a corporate environment that uses Artifactory and Nexus as artifact repositories. Access to Maven Central and any other public repositories are blocked in the corporate network. Public repositories can only be accessed through Artifactory or Nexus as a proxy/cache.
JFrog Xray and Sonatype Nexus IQ are being used to scan all artifacts that are published to these repositories or pulled from the public ones for security vulnerabilities. The company is particularly sensitive to dependencies with publicly reported CVEs. Once a dependency is identified with CVE, it is hard-deleted from the corresponding repository. As a result, and I can see Maven builds failing because dependencies that are OK often have dependencies on other artifacts that have CVEs reported against them, and, thus, were deleted from the repositories. I want to use <exclusions> in my pom.xml files and replace the versions of these transitive dependencies by others slightly newer or older that do not have CVEs reported against them, and, thus, are still in the internal repositories. However, Maven seems to still attempt to download these transitive dependencies from the repositories before applying the exclusions I configured in the pom.xml. If this is the way it behaves, my builds will keep failing. Can anyone here confirm if this the expected behaviour for Maven? Is it really going to download all transitive dependencies in accordance with the original relationships before applying the exclusions I have configured in the pom.xml? If so, is there any way I can tell Maven not to attempt to download versions that I have already excluded in the pom.xml? I already searched through documentation, but I could not find this level of detail anywhere. Thank you.
