Error when pulling plugin for maven project mirroring central repo
Why are we doing this work
For instances running dependency scanning in an isolated network the gemnsium-maven-plugin
dependency is built into the analyzer image as a "fatjar" and is present in the local repo /root/.m2
. The local repo is searched by maven
first and if the dependency is found it is without calling to the network.
An error arises when the maven build has central
explicitly set to a private registry via the <mirror>
directive. In this case maven
refuses to search the local repository (/root/.m2
) and tries to fetch from central
, failing with an error about the missing dependency (unless the plugin has been mirrored in the private registry).
This was originally reported in #412258 (closed)
The workaround was to add a <pluginRepositories>
section to settings.xml
:
<pluginRepositories>
<pluginRepository>
<id>local2</id>
<name>local repository</name>
<url>file:///root/.m2/repository/</url>
</pluginRepository>
</pluginRepositories>
settings.xml
settings.before.xml and settings.after.xml.
More info in thread: #412258 (comment 1418907606)
Note: the linked issue also resolved a bug in the analyzer where the version of the installed plugin was different from the version invoked by the analyzer: #412258 (comment 1397934958)
Relevant links
- original report: #412258 (closed)
- (analyzer)
maven
builder invoking the plugin: https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/blob/master/builder/maven/maven.go#L80 - (analyzer) where the fatjar is built: https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/blob/master/build/gemnasium-maven/debian/install.sh#L53
Non-functional requirements
- Documentation: n/a
- Feature flag: n/a
- Performance: n/a
- Testing: the default offline test won't validate this case, instead the test case needs a private registry with
central
mirrored this private registry in the project settings
Proposal
Investigate whether it is possible for the plugin to just work in the mirror scenario without having to add/edit settings.xml
. One path might be to invoke the plugin from the source jar rather than the implicit call which requires a search for the dependency.
Another option is to add a mode assuming that the project has been built and invoke dump-dependencies
overriding any settings.xml
set in MAVEN_CLI_OPTS
.
One more option is to update the documentation to state that any central
mirror needs to ensure that it has a copy of gemnasium-maven-plugin
.
The last option is to just document the workaround in https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#running-dependency-scanning-in-an-offline-environment
Implementation plan
TBD