Ability to override CENTRAL_CONTENT_URL so .POM files can be downloaded via Reverse Proxy

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.44k stars 1.28k forks source link

Ability to override CENTRAL_CONTENT_URL so .POM files can be downloaded via Reverse Proxy #2289

Closed blaksec closed 5 years ago

blaksec commented 5 years ago

Looking for a way to override CENTRAL_CONTENT_URL which I believe is defined inside MavenArtifact.java

private static final String CENTRAL_CONTENT_URL = "https://search.maven.org/remotecontent?filepath=";

This would allow us to run DC behind a reverse proxy. Note, we are already able to reach maven.org by pointing "analyzer.central.url" to our reverse proxy but that only seems to be working for look-ups. The .POM download requests still go to CENTRAL_CONTENT_URL

Unless, of course, there is a config setting I'm missing?

I'm on 4.0.2

Thank you in advance, BSec

jeremylong commented 5 years ago

Thanks for the enhancement request - makes sense. We tried to keep most things like this configurable.

I would highly recommend upgrading to 5.2.2. There are a TON of changes in the 5.0.0 release - the most important of which is that we switched from using the NIST XML data feeds to using the JSON data feeds. The XML data feeds are being retired: https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement.

blaksec commented 5 years ago

@jeremylong thank you for the quick response. I'll definitely update to the latest version the moment #2292 makes it to the public (binary) build.