DependencyCheck: central analyzer doesn't use our mirror, and maven central is often overloaded

We have configured the OWASP dependency check to run as part of our build process with maven, but it often fails the build due to not being able to contact maven central.

It seems to contact maven central even if we have our own nexus server configured in a <repositories> block in the pom file.

The relevant part of the log is:

[ERROR] Could not connect to Central search. Analysis failed.
java.io.IOException: Finally failed connecting to Central search. Giving up after 5 tries.
    at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts (CentralAnalyzer.java:288)
    at org.owasp.dependencycheck.analyzer.CentralAnalyzer.analyzeDependency (CentralAnalyzer.java:198)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:136)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run (FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:624)
    at java.lang.Thread.run (Thread.java:748)
Caused by: java.io.IOException: Could not connect to MavenCentral (503): Service Unavailable: Back-end server is at capacity
    at org.owasp.dependencycheck.data.central.CentralSearch.searchSha1 (CentralSearch.java:194)
    at org.owasp.dependencycheck.analyzer.CentralAnalyzer.fetchMavenArtifacts (CentralAnalyzer.java:266)
    at org.owasp.dependencycheck.analyzer.CentralAnalyzer.analyzeDependency (CentralAnalyzer.java:198)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:136)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run (FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:624)
    at java.lang.Thread.run (Thread.java:748)

About this issue

Original URL
State: closed
Created 6 years ago
Reactions: 7
Comments: 21 (11 by maintainers)

Most upvoted comments

@jeremylong Have you recently looked into Artifactory’s useability from DepCheck? If not I’m offering to take a look. Their issue-tracker indicates that hash-search for artifacts is implemented in their REST API since end of 2010 (https://www.jfrog.com/jira/browse/RTFACT-3676).

aikebah on May 11, 2018

Thank you, it would be very interesting to integrate with artifactory (we use it as internal repository) If you see another service similar to maven central, please, let me know

papidal on May 11, 2018