what I'm trying to do
I'm trying to use Nexus as a repository in OWASP Dependency-Track.
The packages to be analyzed are stored as composer-hosted packages. It's code in a zip and uploaded to the relevant endpoint.
The packages are solely created for private use and cannot be provided using another repository.
Everything works fine getting the meta data using the route composer-hosted/p/%package%.json
With %package% just as a placeholder for the real name.
What feature or behavior is this required for?
But dependency track expects the value-pair with key version_normalized for version comparison functionalities which does not seem to be created while creating the %package%.json itself.
Is there anything I'm missing which prevents the creation of the version_normalized information? Do I interpret the value-pair wrong?
solution? (maybe, kinda...)
Since version and version_normalized may but don’t need to be different, an easy way could be to provide the value for version also in version_normalized. In doing so the provided meta data would be more like the meta data provided by e.g packagist.
As far as I understand everything seems to boil down to the functions in ComposerJsonProcessor.java
Hei hei,
what I'm trying to do I'm trying to use Nexus as a repository in OWASP Dependency-Track. The packages to be analyzed are stored as composer-hosted packages. It's code in a zip and uploaded to the relevant endpoint. The packages are solely created for private use and cannot be provided using another repository.
Everything works fine getting the meta data using the route composer-hosted/p/%package%.json With %package% just as a placeholder for the real name.
What feature or behavior is this required for? But dependency track expects the value-pair with key version_normalized for version comparison functionalities which does not seem to be created while creating the %package%.json itself.
Is there anything I'm missing which prevents the creation of the version_normalized information? Do I interpret the value-pair wrong?
solution? (maybe, kinda...) Since version and version_normalized may but don’t need to be different, an easy way could be to provide the value for version also in version_normalized. In doing so the provided meta data would be more like the meta data provided by e.g packagist. As far as I understand everything seems to boil down to the functions in ComposerJsonProcessor.java