Skip to content

docs: Clarify Nexus Analyzer requirements and usage #8000

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 3, 2025
Merged

docs: Clarify Nexus Analyzer requirements and usage #8000

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion ant/src/site/markdown/configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ be needed.
| ossindexAnalyzerUsername | Sets the username for OSS Index - note an account with OSS Index is not required. |   |
| ossindexAnalyzerPassword | Sets the password for OSS Index. |   |
| ossIndexAnalyzerWarnOnlyOnRemoteErrors | Whether we should only warn about Sonatype OSS Index remote errors instead of failing completely. |   |
| nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used (requires Nexus Pro). This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | true |
| nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. This analyzer is an alternative to the Central or Artifactory Analyzers, allowing retrieval from Sonatype Nexus installations. | true |
| nexusUrl | Defines the Nexus web service endpoint (example http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled. |   |
| nexusUser | The username to authenticate to the Nexus Server's web service end point. If not set the Nexus Analyzer will use an unauthenticated connection. |   |
| nexusPassword | The password to authenticate to the Nexus Server's web service end point. If not set the Nexus Analyzer will use an unauthenticated connection. |   |
Expand Down
2 changes: 1 addition & 1 deletion cli/src/site/markdown/arguments.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ Advanced Options
| | \-\-centralUsername | \<username\> | The username to authenticate with bearer auth to the alternative Maven Central url set by the 'centralUrl' argument. If neither basic nor bearer auth config is set it will use an unauthenticated connection. | &nbsp; |
| | \-\-centralPassword | \<password\> | The password to authenticate with bearer auth to the alternative Maven Central url set by the 'centralUrl' argument. If neither basic nor bearer auth config is set it will use an unauthenticated connection. | &nbsp; |
| | \-\-centralBearerToken | \<token\> | The token to authenticate with bearer auth to the alternative Maven Central url set by the 'centralUrl' argument. If neither basic nor bearer auth config is set it will use an unauthenticated connection. | &nbsp; |
| | \-\-enableNexus | | Sets whether the Nexus Analyzer will be used (requires Nexus v2 or Pro v3). You can configure the Nexus URL to utilize an internally hosted Nexus server. | &nbsp; |
| | \-\-enableNexus | | Sets whether Nexus Analyzer will be used. This analyzer is an alternative to the Central or Artifactory Analyzers, allowing retrieval from Sonatype Nexus installations. | &nbsp; |
| | \-\-enableArtifactory | | Sets whether Artifactory analyzer will be used | &nbsp; |
| | \-\-artifactoryUrl | \<url\> | The Artifactory server URL. | &nbsp; |
| | \-\-artifactoryUseProxy | \<true\|false\> | Whether Artifactory should be accessed through a proxy or not. | false |
Expand Down
2 changes: 1 addition & 1 deletion maven/src/site/markdown/configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ be needed.
| ossIndexPassword | OSS password or API token as an alternative to the indirection through the `ossIndexServerId` (see above). Both `ossIndexUsername` and `ossIndexPassword` must be set to use this approach instead of the server ID. | &nbsp; |
| ossindexAnalyzerUrl | The OSS Index server URL | https://ossindex.sonatype.org |
| ossIndexWarnOnlyOnRemoteErrors | Sets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution. | false |
| nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used (requires Nexus Pro). This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | true |
| nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. This analyzer is an alternative to the Central or Artifactory Analyzers, allowing retrieval from Sonatype Nexus installations. | true |
| nexusUrl | Defines the Nexus Server's web service end point (example http://domain.enterprise/service/local/). If not set the Nexus Analyzer will be disabled. | &nbsp; |
| nexusServerId | The id of a server defined in the settings.xml that configures the credentials (username and password) for a Nexus server's REST API end point. When not specified the communication with the Nexus server's REST API will be unauthenticated. | &nbsp; |
| nexusUsesProxy | Whether or not the defined proxy should be used when connecting to Nexus. | true |
Expand Down
15 changes: 10 additions & 5 deletions src/site/markdown/analyzers/nexus-analyzer.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,22 @@
Nexus Analyzer
==============
**Requires Nexus Pro**

The Nexus Analyzer will check for the Maven GAV (Group/Artifact/Version) information
for artifacts in the scanned area. This is done by determining if an artifact exists
in a Nexus Pro installation using the SHA-1 hash of the artifact scanned. If the
in a Sonatype Nexus installation using the SHA-1 hash of the artifact scanned. If the
artifact's hash is found in the configured Nexus repository, its GAV is recorded as
an Identifier and the Group is collected as Vendor evidence, the Artifact is
collected as Product evidence, and the Version is collected as Version evidence.

The Nexus Analyzer has been superceded by the Central Analyzer. If both the
Central Analyzer and Nexus Analyzer are enabled and the Nexus URL has not
been configured to point to an instance of Nexus Pro the Nexus Analyzer will
The Nexus Analyzer is an alternative to the Central or Artifactory Analyzers and can
be used to limit dependencies on an external resource such as Maven Central, as well
as providing POM information for artifacts not available in Maven Central. Use by ODC
is thus similar to how users may choose to run their own Nexus instance to proxy
artifact retrieval from Maven Central to limit internet usage and/or dependence on
external infrastructure.

If both the Central Analyzer and Nexus Analyzer are enabled and the Nexus URL has not
been configured to point to a Sonatype Nexus instance the Nexus Analyzer will
disable itself.

Logging
Expand Down
Loading