Open v6ak opened 6 years ago
I disagree, I think this warning is appropriate; the repository mananagers do not provide vulnerability information, just a better identification of artifacts in case you're not using Maven.
It depends on type of failure:
When you look at the fetchFile method, DownloadFailedException is thrown in all the cases, not just in case of 404. And that's the point of the issue.
Thanks for the suggestion. I agree we should differentiate between the reasons for the failure and in some cases fail the execution vs. just outputting a warning.
Excerpt from NexusAnalyzer:
In order to have stable scans, I would rather fail (i.e., throw an exception) at this point. Maybe this could be configurable, but I find this reasonable as the default behavior.
Without that, a connection issue can affect the build. That would be OK if that meant build failure (that is, ODC finds out that it misses some important information). This is not OK if it means that ODC pretends everything is OK.
EDIT: I have hit Enter prematurely…