cyclonedx-maven-plugin: Missing dependency in 2.0.0

There seems to be a missing dependency in latest release. Since few hours ago we seen a lot of failure on our CIs about invocation of cyclonedx-maven-plugin via cli, like that:

[ERROR] Failed to execute goal org.cyclonedx:cyclonedx-maven-plugin:2.0.0:makeAggregateBom (default-cli) on project MyProject: Execution default-cli of goal org.cyclonedx:cyclonedx-maven-plugin:2.0.0:makeAggregateBom failed: Plugin org.cyclonedx:cyclonedx-maven-plugin:2.0.0 or one of its dependencies could not be resolved: Could not find artifact com.github.everit-org.json-schema:org.everit.json.schema:jar:1.12.1 in my-mirror (https://nexus.example.com/nexus/repository/my-mirror) -> [Help 1]

I searched com.github.everit-org.json-schema:org.everit.json.schema on search.maven.org and i didn’t found it, even for past versions… is groupdId and artifactId correct?

About this issue

  • Original URL
  • State: open
  • Created 4 years ago
  • Reactions: 7
  • Comments: 17 (8 by maintainers)

Most upvoted comments

With version 2.3.0 of the Maven plugin, this issue no longer exists.

+3
stevespringett on Mar 10, 2021

We were having the same problem.

I think that the mistake resides in the mirror use in our settings: if I declare a mirror in my settings.xml then all requests to resolve a dependency will be redirected through that mirror which, in our case, doesn’t contains a proxy for the gitpack repository.

@mvanini in our case, changing the config from this:

....
    <mirror>
       <id>mirror</id>
      <mirrorOf>*</mirrorOf>
      <name>MyCompany Nexus Mirror</name>
      <url>https://nexus.mycompany.net/content/groups/public</url>
    </mirror>
....

To this:

....
    <mirror> 
      <id>mirror</id> 
      <mirrorOf>central</mirrorOf> 
      <name>MyCompany Nexus Mirror</name> 
      <url>https://nexus.mycompany.net/content/groups/public</url> 
    </mirror>
....

(Mind the mirrorOf change) solved the issue.

More info: https://maven.apache.org/guides/mini/guide-mirror-settings.html

+3
pachulo on Sep 3, 2020

Hi @coderpatros , maven by default resolve dependency via https://repo1.maven.org (which is the backend of search.maven.org webapp which I mentioned before). In our CI environment we have a corporate maven repository (Sonatype Nexus) which is also used as a proxy of all major public repository, repo1.maven.org included. For our scenario we can add a mirror for jitpack in our Nexus but is a workaround not really a solution: not anyone that use this plugin has a local maven repository to store that dependency or possibility to mirror jitpack.

I think that all dependencies needed by a maven plugin must be publicy available on the same repository where maven look for it.

Is there any interesting information about your CI environment that you can share? And do you also hit it running locally?

Yes, I have the same result if I run it locally

+2
mvanini on Jul 14, 2020

I think that the mistake resides in the mirror use in our settings: if I declare a mirror in my settings.xml then all requests to resolve a dependency will be redirected through that mirror which, in our case, doesn’t contains a proxy for the gitpack repository.

It’s strange that it faults only on version 2.0.0, our config it’s the same since years. Is this a new declared dependency in latest release?

I personally do not use Nexus proxy since provenance information becomes opaque.

In an enterprise scenario with many projects, each one with his dependencies, having a local maven repository for public dependencies saves us a huge outbound network traffic to internet.

+1
mvanini on Jul 14, 2020
Read more comments on GitHub
← cyclonedx-maven-plugin: Aggregate BOMs cannot handle components with differing dependency trees in different modules
IntegratedDynamics: Integrated Dynamics crash - BlockEntityHelpers - NBT Issue? →