-
Notifications
You must be signed in to change notification settings - Fork 370
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support private registries for Maven #1045
Comments
That would be a highly appreciated feature ;-) Right now it already fails for my most simple projects with: failed extracting pom.xml: failed to merge parents: failed to get Maven project my.maven:super-pom:1.7.2: API query failed: Maven registry query status: 4 |
#1045 Considering that we want to support native Maven registry, we need `MergeMavenParents` from `internal/manifest` in `internal/resolution/client`, however `internal/manifest` imports `internal/resolution/client` for `DependencyClient` for dependency resolution, and this causes an import cycle. This PR moves the Maven utility in `internal/manifest` to a separate package `internal/utility/maven`.
#1045 This PR adds a dependency client fetching from Maven Central repository: - the client is based on the Maven registry API client - fetched projects and metadata are cached
Some updates regarding this issue:
|
#1045 There are [repositories](https://maven.apache.org/pom.html#Repositories) defined in a Maven pom.xml. When looking for an artifact, these repositories are searched one by one until the artifact is found. Maven Central is the default registry to try at the last. To support this behaviour, this PR: - makes `MavenRegistryAPIClient` host a list of registries besides the default registry - adds `UpdateRegistries` to `DependencyClient` to update the registries - adds a new flag to specify the default maven registry for `fix` - add new experimental options to `scan` to align with what we have for `fix` TODO: - still need to update documentation for new options/flags - update deps.dev Maven resolver for mutil-registry resolution - record not found requests to optimize performance
Should this issue be closed with #1286 ? |
There is one optimisation PR in progress and this can be closed after that. |
Follow up on #1045 Currently we cache the decoded Maven metadata and projects after fetching from Maven registries. We are not able to know if a request is Not Found or not. We can avoid making redundant not found requests if we cache the whole response from Maven registries. This PR caches the response body as well as the statue code. This greatly improves the resolution performance - resolving [registry.xml](https://github.com/google/osv-scanner/blob/main/cmd/osv-scanner/fixtures/maven-transitive/registry.xml) improves from 20s to 5s. A potential caveat is that the new cache may not work with the existing cache, however considering the cache expires after some time and this is still an experimental feature, I don't worry too much on this.
Now by default, deps.dev API is queried for package versions and requirements when resolving dependencies.
We should also support fetching these data from private registries as well.
The text was updated successfully, but these errors were encountered: