Nexus/Central analyzers should fail hard when they cannot download some file

[v6ak]

Excerpt from NexusAnalyzer:

            } catch (DownloadFailedException ex) {
                LOGGER.warn("Unable to download pom.xml for {} from Nexus repository; "
                        + "this could result in undetected CPE/CVEs.", dependency.getFileName());
            } finally {

In order to have stable scans, I would rather fail (i.e., throw an exception) at this point. Maybe this could be configurable, but I find this reasonable as the default behavior.

Without that, a connection issue can affect the build. That would be OK if that meant build failure (that is, ODC finds out that it misses some important information). This is not OK if it means that ODC pretends everything is OK.

EDIT: I have hit Enter prematurely…

[mprins]

I disagree, I think this warning is appropriate; the repository mananagers do not provide vulnerability information, just a better identification of artifacts in case you're not using Maven.

[v6ak]

It depends on type of failure:

• If it is kind 404, I agree with you. Failing there would be too strict. Thank you for pointing this out.
• For other errors like file failed to write (e.g., you are out of space), bad URI (!), connection errors, TLS errors etc, I still believe ODC should fail hard.

When you look at the fetchFile method, DownloadFailedException is thrown in all the cases, not just in case of 404. And that's the point of the issue.

[jeremylong]

Thanks for the suggestion. I agree we should differentiate between the reasons for the failure and in some cases fail the execution vs. just outputting a warning.