osv-scanner icon indicating copy to clipboard operation
osv-scanner copied to clipboard

Published 20 hours ago verified publisher icon google

Support private registries for Maven

Open cuixq opened this issue 1 year ago • 2 comments

Now by default, deps.dev API is queried for package versions and requirements when resolving dependencies.

We should also support fetching these data from private registries as well.

cuixq avatar Jun 17 '24 01:06 cuixq

That would be a highly appreciated feature ;-) Right now it already fails for my most simple projects with:

failed extracting pom.xml: failed to merge parents: failed to get Maven project my.maven:super-pom:1.7.2: API query failed: Maven registry query status: 4 04 Not Found

jenspopp avatar Jun 25 '24 06:06 jenspopp

Some updates regarding this issue:

  • There is a MavenRegistryAPIClient to talk to a Maven registry directly for metadata. Currently the URL is hard-coded to Maven Central, and we would like to make this configurable.
  • There is also MavenRegistryClient which can be used as a DependencyClient in dependency resolution. More work is needed to make it work with multiple-registry resolution which may involve working on deps.dev's Maven resolver.

cuixq avatar Sep 19 '24 00:09 cuixq

Should this issue be closed with #1286 ?

another-rex avatar Oct 30 '24 04:10 another-rex

There is one optimisation PR in progress and this can be closed after that.

cuixq avatar Oct 30 '24 05:10 cuixq