Requests to wrong repositories causing block from apache.org

[mguillem]

The cyclonedx-maven-plugin performs useless requests to repositories found in dependencies (even with --ignore-transitive-repositories). The consequence for us was that we have been blocked from apache.org (https://infra.apache.org/abc/).

Here is a minimal project with only 3 simple pom.xml files allowing to reproduce the problem: https://github.com/mguillem/issue-cyclonedx-wrong-download

To summarize:

• multimodule project with one parent and two children
• child 1 contains one dependency and generates a test-jar
• child 2 references child 1 jar & test-jar

In this demo project, the download is blocked by the mirror settings due to the http protocol, what makes the problematic requests visible.

[INFO] --- cyclonedx:2.9.0:makeBom (default-cli) @ child2 ---
[INFO] CycloneDX: Resolving Dependencies
[WARNING] Could not transfer metadata test:child1:0.0.1-SNAPSHOT/maven-metadata.xml from/to maven-default-http-blocker (http://0.0.0.0/): Blocked mirror for repositories: [apache.snapshots (http://repository.apache.org/snapshots, default, snapshots)]
[WARNING] Could not transfer metadata test:wrong-repo-parent:0.0.1-SNAPSHOT/maven-metadata.xml from/to maven-default-http-blocker (http://0.0.0.0/): Blocked mirror for repositories: [apache.snapshots (http://repository.apache.org/snapshots, default, snapshots)]
[WARNING] test:wrong-repo-parent:0.0.1-SNAPSHOT/maven-metadata.xml failed to transfer from http://0.0.0.0/ during a previous attempt. This failure was cached in the local repository and resolution will not be reattempted until the update interval of maven-default-http-blocker has elapsed or updates are forced. Original error: Could not transfer metadata test:wrong-repo-parent:0.0.1-SNAPSHOT/maven-metadata.xml from/to maven-default-http-blocker (http://0.0.0.0/): Blocked mirror for repositories: [apache.snapshots (http://repository.apache.org/snapshots, default, snapshots)]

[jneira-stratio]

Hi, we are hitting the same issue and we are also being blocked in the apache repo. Is there some workaround changing maven or the plugin config?
Thanks in advance!

[mguillem]

@jneira-stratio are test-jars involved in your case?

[jneira-stratio]

Definitely there are some test-jars involved at least in some repos but unfortunately we don't have a minimal reproduction case as yours, so i can't confirm for sure.

Our hypothesis is:

• the plugin collects all repos explicitly defined in all transitive dependencies poms
• then it looks for our private dependencies snapshots in those repos (including apache one) because they are not found in our private repo stable versions

@mguillem i've updated my comment

[jneira-stratio]

In our case we got a workaround setting our private repo as mirror of all repos with <mirrorOf>*</mirrorOf>, making far fewer requests and avoiding the ban.

[Bukama]

We are also facing this issue everytime a dependency (for example our own org.acme:myproject-core) is updated in POM a tons of repositories, not definied somewhere in our maven or nexus settings get tried to queried

Could not transfer metadata org.acme:myproject-domain:63.2.16-SNAPSHOT/maven-metadata.xml from/to sonatype-nexus-snapshots (https://oss.sonatype.org/content/repositories/snapshots): oss.sonatype.org: Name or service not known
Could not transfer metadata org.acme:myproject-domain:63.2.16-SNAPSHOT/maven-metadata.xml from/to jvnet-nexus-snapshots (https://maven.java.net/content/repositories/snapshots): maven.java.net: Name or service not known
Could not transfer metadata org.acme:myproject:63.2.16-SNAPSHOT/maven-metadata.xml from/to sonatype-nexus-snapshots (https://oss.sonatype.org/content/repositories/snapshots): oss.sonatype.org
Could not transfer metadata org.acme:myproject:63.2.16-SNAPSHOT/maven-metadata.xml from/to jvnet-nexus-snapshots (https://maven.java.net/content/repositories/snapshots): maven.java.net
Could not transfer metadata org.acme:myproject-core:63.2.16-SNAPSHOT/maven-metadata.xml from/to sonatype-nexus-snapshots (https://oss.sonatype.org/content/repositories/snapshots): oss.sonatype.org
Could not transfer metadata org.acme:myproject-core:63.2.16-SNAPSHOT/maven-metadata.xml from/to apache.snapshots (https://repository.apache.org/snapshots): repository.apache.org: Name or service not known
Could not transfer metadata org.acme:myproject-core:63.2.16-SNAPSHOT/maven-metadata.xml from/to apache.snapshots.https (https://repository.apache.org/content/repositories/snapshots): repository.apache.org
Could not transfer metadata org.acme:myproject-core:63.2.16-SNAPSHOT/maven-metadata.xml from/to maven-default-http-blocker (http://0.0.0.0/): Blocked mirror for repositories: [apache.snapshots (http://people.apache.org/repo/m2-snapshot-repository, default, snapshots)]
Could not transfer metadata org.acme:myproject-core:63.2.16-SNAPSHOT/maven-metadata.xml from/to jvnet-nexus-snapshots (https://maven.java.net/content/repositories/snapshots): maven.java.net

In our setting.xml we have one mirror of central definied as well one nexus group-repository which contains the repository with own releases as well an prox-repository of our company shared repository