NexusAnalyser cannot download pom files from Nexus

[MichaelVetter]

Describe the bug
NexusAnalyser search returns pom URLs that point to our Nexus V3.
NexusAnalyser cannot download these pom files from our Nexus.
Since the exception message from the Downloader class is not logged I can only guess why it fails.
I assume that the Downloader does not use the credentials from the configured nexusServerId.

Version of dependency-check used
The problem occurs using version 12.2.0 of the maven plugin

Log file
[WARNING] Unable to download pom.xml for my-tomcat.war: spring-binding-3.0.1.jar from Nexus repository; this could result in undetected CPE/CVEs.

Expected behavior
The exception message from the Downloader class should be logged.
The Downloader should use the credentials from the configured nexusServerId when called by the NexusAnalyser.

[chadlwilson]

Please run maven with the standard debug -X flag and look at the logs and share if you can’t work it out.

[MichaelVetter]

@chadlwilson I already used the debug flag. The WARNING above is a message from here:
https://github.com/dependency-check/DependencyCheck/blob/main/core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java#L288

[chadlwilson]

Try enabling trace logging for the maven slf4j simple logger then to unblock yourself. Or or org.apache.hc group specifically if it’s too noisy.

I’d at least expect you to have and share the debug messages as well, rather than a single line out of context, without any of your configuration. Even if it’s missing specifically what you are looking for, there is plenty more logged at debug level, including realized configuration settings.

We can possibly help if you share the details more completely.

[chadlwilson]

You might find maven"s mvn help:effective-pom is useful for figuring out the realized config on the plugin. I find people often get mixed up with profiles and executions, especially with multi-module and aggregate goal usage.