Configure local Nexus server

[rompic]

I experience a number of timeouts from Central atm.

https://jeremylong.github.io/DependencyCheck/data/index.html states that

If Central cannot be reached, it is highly recommended to setup a Nexus server within your organization and to configure dependency-check to use the local Nexus server.
We already have nexus set up.
How can this be configured? I just found the nexus analyzer. is nexus pro necessary?

thx,
Roman

[initialzero]

I can't connect to Central either. Getting lots of "Could not connect to Central search. Analysis failed." messages.

Is Artifactory an alternative option?

[jeremylong]

Yes, Nexus Pro would be required to use the current Nexus Analyzer instead of Central. An artifactory instance is not viable yet as we have not created an Artifactory Analyzer.

Note - if you are using Maven or Gradle there is very little gain from leaving the Central Analyzer enabled. If you are using Ant or the CLI - the Central Analyzer does pull in additional information that can assist with the identification process.

[jeremylong]

To actually configure the Nexus Analyzer (which requires the Pro version) see the configuration documentation - specifically nexusAnalyzerEnabled and nexusUrl

[jansohn]

@jeremylong just to clarify, if we already use the maven-dependency-plugin, we could disable both Central and Nexus Analyzer?

Additionally for the Nexus Analyzer. Are both v2 and v3 Sonatype Nexus supported?

[jeremylong]

ATM - there is very little gain from using the Central or Nexus analyzer if you are using the Maven or Gradle plugins to execute dependency-check.

I believe Nexus v2 and Nexus Pro v3 work. From v2 to v3 Sonatype moved the API that was being used to the pro version.

[HKPSS]

May I know how I can pass the credentials to the nexus analyzer from the CLI tool to use Nexus Pro instead of Central analyzer.

Regards,
Harkunwar

[jeremylong]

@HKPSS looks like that we built this using Nexus 2 without authentication; others users have told us Nexus Pro 3 works as well. However, we did not implement any authentication to Nexus.

If you are using the Maven or Gradle plugins you can disable the Central Analyzer and the only thing you will loose is validation that the JARs are the valid ones published in your Nexus (i.e. the HTML report they will have a green checkbox) and you will have a link to directly download the dependency. If you are using the CLI, Ant, or Jenkins plugins to scan and analyze the dependencies then the Central (or Nexus) analyzer can add additional information that reduces false positive/negatives.

If the authentication to Nexus Pro v3 is something you need soon - PRs are always welcome.

[aikebah]

@jeremylong I don't have a Nexus Pro v3, but I do have a Nexus OSS v2 that requires authentication at my disposal. Will look into creating a PR that would make the NexusAnalyzer capable of at least authenticating to Nexus repository v2, assuming that it will also work for Pro v3.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.