Skip to content

jfrog audit --mvn not work with disabled repository id "central" on pom.xml #404

New issue
New issue
Open
Open
jfrog audit --mvn not work with disabled repository id "central" on pom.xml#404
Labels
questionFurther information is requested
@phuc98ute

Description

@phuc98ute
phuc98ute
opened on Apr 3, 2025

Hi,

Environment like below:

  • Run on github runner.
  • jfrog-cli latest version v2.74.1
  • jfrog-cli-sercurity version v1.16.1

I am working on the maven project with config to disable maven central with config on pom.xml like below:

<!-- Disable central repositories -->
    <repositories>
        <repository>
            <id>central</id>
            <url>http://repo1.maven.org/maven2</url>
            <releases>
                <enabled>false</enabled>
            </releases>
            <snapshots>
                <enabled>false</enabled>
            </snapshots>
        </repository>
    </repositories>
    <pluginRepositories>
        <pluginRepository>
            <id>central</id>
            <url>http://repo1.maven.org/maven2</url>
            <releases>
                <enabled>false</enabled>
            </releases>
            <snapshots>
                <enabled>false</enabled>
            </snapshots>
        </pluginRepository>
    </pluginRepositories>

the command jf audit --mvn always return error:

Error:  Plugin org.apache.maven.plugins:maven-install-plugin:3.1.1 or one of its dependencies could not be resolved:
Error:  	Could not find artifact org.apache.maven.plugins:maven-install-plugin:jar:3.1.1
Error:  -> [Help 1]
Error:  
Error:  To see the full stack trace of the errors, re-run Maven with the -e switch.
Error:  Re-run Maven using the -X switch to enable full debug logging.
Error:  
Error:  For more information about the errors and possible solutions, please read the following articles:
Error:  [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/PluginResolutionException

12:07:47 [Info] Trace ID for JFrog Platform logs: 693742722d1f63ff
Error: 7 [Error] target '/runner/_work/xxxx/xxxxx [maven]' errors:
failed to build dependency tree: failed while building 'maven' dependency tree: failed running command 'mvn org.apache.maven.plugins:maven-install-plugin:3.1.1:install-file -Dfile=/tmp/jfrog.cli.temp.-1743509261-2764527690/maven-dep-tree.jar -B -s /tmp/jfrog.cli.temp.-1743509261-2764527690/settings.xml': exit status 1

After deep dive into logic of frog-cli-security, I believe that the logic cause the issue like detailed below:

  • The jf audit --mvn will generate settings.xml from this template.
  • And when running the mvn wrapped command inside "audit", the above settings.xml will be used.
  • Because it missing the pluginRepository config on generated setings.xml file, the plugins will be fallback to default repository id "central" and will try to resolve from maven central.
  • Additionally, the repository id "central" is disabled on pom.xml (which I mentioned above). So this cause the error.

If the detailed logic I described above is correct, could anyone help me clarify why the settings.xml template has no config for pluginRepository?

Metadata

Metadata

Assignees

No one assigned

    Labels

    questionFurther information is requested

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions