cyclonedx-maven-plugin
cyclonedx-maven-plugin copied to clipboard
CycloneDX
Plugin does not use repositories specified in the project's pom
The plugin fails to load jars from 3rd party repositories, even if they are defined in the pom. It prints out warnings such as:
[WARNING] Unable to create Maven project for org.geotools:gt-referencing:jar:28.2 from repository.
This particular jar comes from https://repo.osgeo.org/repository/release.
As a work-around, the plugin is able to resolve repositories if they are defined in a profile in ~/.m2/settings.xml, but this makes the project non-portable. The project can also be built with a bundled settings.xml (e.g. mvn -s cyclonedx-settings.xml), but then any user configuration in the default ~/.m2/settings.xml is not picked up.
As an example, see https://github.com/elahrvivaz/geomesa/tree/2058f9222c964c38ca96a9de4d77cda8eb3ea11f
I am running into the same problem! Arg. I'd like to upvote this issue please. I have a few repos defined in my POM's repositories section and they are being ignored which causes warnings, and an incomplete SBOM.
So do I. I'm running into this in one of several projects. Unfortunately, it's private repos that I cannot share, and I don't see what's so special about the one project where it occurs. It works fine in other projects.
The work-around mentioned (define a profile with the repos in ~/.m2/settings.xml and activate that profile) works for me. Defining the same profile in pom.xml or defining the repos directly in pom.xml doesn't.
The warning is preceded by some info messages:
[INFO] Artifact xxx:yyy:pom:0.42.0 is present in the local repository, but cached from a remote repository ID that is unavailable in current build context, verifying that is downloadable from [...]
[INFO] Artifact xxx:yyy:pom:0.42.0 is present in the local repository, but cached from a remote repository ID that is unavailable in current build context, verifying that is downloadable from [...]
[WARNING] Unable to create Maven project for xxx:yyy:jar:0.42.0 from repository.
(Yes, the same info message twice.) The problem occurs in different environments (CI builds or local developer machine, Linux or Windows).
I suppose it would be useful if one could put together a simple public reproducer. Not sure the GeoMesa example counts as "simple"...
This is happening for me with a private Artifactory repository which cannot be shared.
The ignore transitive repositories flag backported to Maven 3.x, might provide a workaround for this issue.
The ignore transitive repositories flag backported to Maven 3.x, might provide a workaround for this issue.
Could you elaborate on the work-around? In this case, we are declaring repositories in the pom.xml <repositories> tag, but they are not being used. From a quick look, it seems like ignoring transitive repositories would fix the opposite problem (repositories being used that aren't declared in the pom).
Thanks,
Could you elaborate on the work-around? In this case, we are declaring repositories in the pom.xml
<repositories>tag, but they are not being used. From a quick look, it seems like ignoring transitive repositories would fix the opposite problem (repositories being used that aren't declared in the pom).
Sorry, I didn't read the original problem. Sure, this should fix the opposite problem of what you are having.