cyclonedx-maven-plugin icon indicating copy to clipboard operation
cyclonedx-maven-plugin copied to clipboard
verified publisher icon CycloneDX

Requests to wrong repositories causing block from apache.org

Open mguillem opened this issue 4 months ago • 5 comments

The cyclonedx-maven-plugin performs useless requests to repositories found in dependencies (even with --ignore-transitive-repositories). The consequence for us was that we have been blocked from apache.org (https://infra.apache.org/abc/).

Here is a minimal project with only 3 simple pom.xml files allowing to reproduce the problem: https://github.com/mguillem/issue-cyclonedx-wrong-download

To summarize:

  • multimodule project with one parent and two children
  • child 1 contains one dependency and generates a test-jar
  • child 2 references child 1 jar & test-jar

In this demo project, the download is blocked by the mirror settings due to the http protocol, what makes the problematic requests visible.

[INFO] --- cyclonedx:2.9.0:makeBom (default-cli) @ child2 ---
[INFO] CycloneDX: Resolving Dependencies
[WARNING] Could not transfer metadata test:child1:0.0.1-SNAPSHOT/maven-metadata.xml from/to maven-default-http-blocker (http://0.0.0.0/): Blocked mirror for repositories: [apache.snapshots (http://repository.apache.org/snapshots, default, snapshots)]
[WARNING] Could not transfer metadata test:wrong-repo-parent:0.0.1-SNAPSHOT/maven-metadata.xml from/to maven-default-http-blocker (http://0.0.0.0/): Blocked mirror for repositories: [apache.snapshots (http://repository.apache.org/snapshots, default, snapshots)]
[WARNING] test:wrong-repo-parent:0.0.1-SNAPSHOT/maven-metadata.xml failed to transfer from http://0.0.0.0/ during a previous attempt. This failure was cached in the local repository and resolution will not be reattempted until the update interval of maven-default-http-blocker has elapsed or updates are forced. Original error: Could not transfer metadata test:wrong-repo-parent:0.0.1-SNAPSHOT/maven-metadata.xml from/to maven-default-http-blocker (http://0.0.0.0/): Blocked mirror for repositories: [apache.snapshots (http://repository.apache.org/snapshots, default, snapshots)]

mguillem avatar Sep 01 '25 07:09 mguillem

Hi, we are hitting the same issue and we are also being blocked in the apache repo. Is there some workaround changing maven or the plugin config? Thanks in advance!

jneira-stratio avatar Oct 24 '25 11:10 jneira-stratio

@jneira-stratio are test-jars involved in your case?

mguillem avatar Oct 28 '25 06:10 mguillem

Definitely there are some test-jars involved at least in some repos but unfortunately we don't have a minimal reproduction case as yours, so i can't confirm for sure.

Our hypothesis is:

  • the plugin collects all repos explicitly defined in all transitive dependencies poms
  • then it looks for our private dependencies snapshots in those repos (including apache one) because they are not found in our private repo stable versions

@mguillem i've updated my comment

jneira-stratio avatar Oct 28 '25 06:10 jneira-stratio

In our case we got a workaround setting our private repo as mirror of all repos with <mirrorOf>*</mirrorOf>, making far fewer requests and avoiding the ban.

jneira-stratio avatar Oct 28 '25 06:10 jneira-stratio

We are also facing this issue everytime a dependency (for example our own org.acme:myproject-core) is updated in POM a tons of repositories, not definied somewhere in our maven or nexus settings get tried to queried

Could not transfer metadata org.acme:myproject-domain:63.2.16-SNAPSHOT/maven-metadata.xml from/to sonatype-nexus-snapshots (https://oss.sonatype.org/content/repositories/snapshots): oss.sonatype.org: Name or service not known
Could not transfer metadata org.acme:myproject-domain:63.2.16-SNAPSHOT/maven-metadata.xml from/to jvnet-nexus-snapshots (https://maven.java.net/content/repositories/snapshots): maven.java.net: Name or service not known
Could not transfer metadata org.acme:myproject:63.2.16-SNAPSHOT/maven-metadata.xml from/to sonatype-nexus-snapshots (https://oss.sonatype.org/content/repositories/snapshots): oss.sonatype.org
Could not transfer metadata org.acme:myproject:63.2.16-SNAPSHOT/maven-metadata.xml from/to jvnet-nexus-snapshots (https://maven.java.net/content/repositories/snapshots): maven.java.net
Could not transfer metadata org.acme:myproject-core:63.2.16-SNAPSHOT/maven-metadata.xml from/to sonatype-nexus-snapshots (https://oss.sonatype.org/content/repositories/snapshots): oss.sonatype.org
Could not transfer metadata org.acme:myproject-core:63.2.16-SNAPSHOT/maven-metadata.xml from/to apache.snapshots (https://repository.apache.org/snapshots): repository.apache.org: Name or service not known
Could not transfer metadata org.acme:myproject-core:63.2.16-SNAPSHOT/maven-metadata.xml from/to apache.snapshots.https (https://repository.apache.org/content/repositories/snapshots): repository.apache.org
Could not transfer metadata org.acme:myproject-core:63.2.16-SNAPSHOT/maven-metadata.xml from/to maven-default-http-blocker (http://0.0.0.0/): Blocked mirror for repositories: [apache.snapshots (http://people.apache.org/repo/m2-snapshot-repository, default, snapshots)]
Could not transfer metadata org.acme:myproject-core:63.2.16-SNAPSHOT/maven-metadata.xml from/to jvnet-nexus-snapshots (https://maven.java.net/content/repositories/snapshots): maven.java.net

In our setting.xml we have one mirror of central definied as well one nexus group-repository which contains the repository with own releases as well an prox-repository of our company shared repository

Bukama avatar Nov 12 '25 09:11 Bukama