search

jfrog / jfrog-cli

JFrog CLI is a client that provides a simple interface that automates access to the JFrog products.
https://www.jfrog.com/confluence/display/CLI/JFrog+CLI
Apache License 2.0
519 stars 224 forks source link

Download from maven-central fails for plugins when resolving release repository with Jfrog CLI #2542

Closed m-jonn closed 1 month ago

m-jonn commented 1 month ago

Describe the bug

"jf mvn clean compile" is not downloading plugins from maven central url when configuring release and snapshot repositories with jfrog cli, instead artifactory url is used, e.g.

jf mvn-config --server-id-resolve artifactory.id --repo-resolve-releases your-local-maven-repo  --repo-resolve-snapshots your-local-maven-repo
jf mvn clean compile

image

while plugins are correctly downloaded when not using jfrog cli

mvn clean compile

image

Note that the pom.xml includes maven-central as pluginRepository: image

Current behavior

jf mvn-config --server-id-resolve artifactory.id --repo-resolve-releases your-local-maven-repo --repo-resolve-snapshots your-local-maven-repo
jf mvn clean compile

image

Reproduction steps

Use a pom.xml similar to ...

<?xml version="1.0" encoding="UTF-8"?>
<project>
    <modelVersion>4.0.0</modelVersion>

    <groupId>com.artifactory.demo</groupId>
    <artifactId>maven-package-example</artifactId>
    <version>0.1.0-SNAPSHOT</version>
    <name>Tiny Maven Package Example to download dependencies from JFrog Artifactory</name>

    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <maven.compiler.release>17</maven.compiler.release>
        <maven.compiler.source>17</maven.compiler.source>
        <maven.compiler.target>17</maven.compiler.target>
    </properties>

    <dependencies>
        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <version>4.13.2</version>
            <scope>test</scope>
        </dependency>
    </dependencies>

    <build>
        <pluginManagement>
            <plugins>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-compiler-plugin</artifactId>
                    <version>3.8.1</version>
                </plugin>
            </plugins>
        </pluginManagement>
    </build>

    <repositories>
        <repository>
            <id>artifactory.id</id>
            <name>a0ojuelzhkzyq-artifactory-primary-0-depends</name>
            <url>https://merckgroup.jfrog.io</url>
        </repository>
    </repositories>

    <pluginRepositories>
        <pluginRepository>
            <id>central-plugins</id>
            <name>Central Plugins</name>
            <url>https://repo.maven.apache.org/maven2/</url>
            <releases>
                <enabled>true</enabled>
            </releases>
            <snapshots>
                <enabled>true</enabled>
            </snapshots>
        </pluginRepository>
    </pluginRepositories>
</project>

then run the following commands

  1. jf c add ...
  2. jf mvn-config --server-id-resolve artifactory.id --repo-resolve-releases your-local-maven-repo --repo-resolve-snapshots your-local-maven-repo
  3. jf mvn clean compile

Note that this bug is reproudcible on our Github Runners (Ubuntu 22.0.4) as well as local workspaces macOS and Windows.

Expected behavior

If pluginRepository is set to maven central in pom.xml, Jfrog CLI should use maven central url even though release and snapshot repositories are resolved to the local artifactory repository 

jf mvn clean compile

image

JFrog CLI version

2.56.0

Operating system type and version

MacOS 14.3.1, Ubuntu 22.0.4

JFrog Artifactory version

Cloud

JFrog Xray version

No response

yahavi commented 1 month ago

@m-jonn Thank you for using the JFrog CLI.

This is intentionally designed - the configured Artifactory server substitutes all resolution repositories. We recommend resolving from a virtual repository that includes both your local Maven repository in Artifactory and a remote repository pointing to Maven Central.

This approach offers the following advantages:

  1. Artifacts downloaded will be cached in Artifactory, resulting in faster and more stable builds over time.
  2. All downloaded artifacts will be logged in the build-info, enhancing the traceability of builds.
  3. JFrog Xray and JFrog Curation will scan all artifacts, preventing vulnerabilities from being included in your builds.

Please let me know if that helped.

m-jonn commented 1 month ago

Thank you @yahavi.

Makes sense. We are just switching to JFrog CLI because of the OIDC integration and did not encounter this issue with pure maven. Anyway thanks for pointing us to the correct solution.

m-jonn commented 1 month ago

Just confirmed and now it is working. Thanks @yahavi