Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support private registries for Maven #1045

Open
cuixq opened this issue Jun 17, 2024 · 4 comments
Open

Support private registries for Maven #1045

cuixq opened this issue Jun 17, 2024 · 4 comments
Assignees
Labels
enhancement New feature or request guided remediation Related to guided remediation / osv-scanner fix

Comments

@cuixq
Copy link
Contributor

cuixq commented Jun 17, 2024

Now by default, deps.dev API is queried for package versions and requirements when resolving dependencies.

We should also support fetching these data from private registries as well.

@jenspopp
Copy link

That would be a highly appreciated feature ;-) Right now it already fails for my most simple projects with:

failed extracting pom.xml: failed to merge parents: failed to get Maven project my.maven:super-pom:1.7.2: API query failed: Maven registry query status: 4
04 Not Found

@cuixq cuixq added the enhancement New feature or request label Jul 18, 2024
@cuixq cuixq self-assigned this Jul 30, 2024
@cuixq cuixq added the guided remediation Related to guided remediation / osv-scanner fix label Aug 8, 2024
cuixq added a commit that referenced this issue Aug 22, 2024
#1045

Considering that we want to support native Maven registry, we need
`MergeMavenParents` from `internal/manifest` in
`internal/resolution/client`, however `internal/manifest` imports
`internal/resolution/client` for `DependencyClient` for dependency
resolution, and this causes an import cycle.

This PR moves the Maven utility in `internal/manifest` to a separate
package `internal/utility/maven`.
cuixq added a commit that referenced this issue Sep 4, 2024
#1045

This PR adds a dependency client fetching from Maven Central repository:
 - the client is based on the Maven registry API client
 - fetched projects and metadata are cached
@cuixq
Copy link
Contributor Author

cuixq commented Sep 19, 2024

Some updates regarding this issue:

  • There is a MavenRegistryAPIClient to talk to a Maven registry directly for metadata. Currently the URL is hard-coded to Maven Central, and we would like to make this configurable.
  • There is also MavenRegistryClient which can be used as a DependencyClient in dependency resolution. More work is needed to make it work with multiple-registry resolution which may involve working on deps.dev's Maven resolver.

cuixq added a commit that referenced this issue Oct 21, 2024
#1045

There are [repositories](https://maven.apache.org/pom.html#Repositories)
defined in a Maven pom.xml. When looking for an artifact, these
repositories are searched one by one until the artifact is found. Maven
Central is the default registry to try at the last.

To support this behaviour, this PR:
- makes `MavenRegistryAPIClient` host a list of registries besides the
default registry
- adds `UpdateRegistries` to `DependencyClient` to update the registries
 - adds a new flag to specify the default maven registry for `fix`
- add new experimental options to `scan` to align with what we have for
`fix`

TODO: 
 - still need to update documentation for new options/flags
 - update deps.dev Maven resolver for mutil-registry resolution
 - record not found requests to optimize performance
@another-rex
Copy link
Collaborator

Should this issue be closed with #1286 ?

@cuixq
Copy link
Contributor Author

cuixq commented Oct 30, 2024

There is one optimisation PR in progress and this can be closed after that.

cuixq added a commit that referenced this issue Dec 10, 2024
Follow up on #1045

Currently we cache the decoded Maven metadata and projects after
fetching from Maven registries. We are not able to know if a request is
Not Found or not. We can avoid making redundant not found requests if we
cache the whole response from Maven registries.

This PR caches the response body as well as the statue code. This
greatly improves the resolution performance - resolving
[registry.xml](https://github.com/google/osv-scanner/blob/main/cmd/osv-scanner/fixtures/maven-transitive/registry.xml)
improves from 20s to 5s.

A potential caveat is that the new cache may not work with the existing
cache, however considering the cache expires after some time and this is
still an experimental feature, I don't worry too much on this.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request guided remediation Related to guided remediation / osv-scanner fix
Projects
None yet
Development

No branches or pull requests

3 participants