Dear Jeremy,
warm thanks for your brilliant work in the last years, this plugin is a must-have.
Our Goal
We try to avoid any connection to untrusted (external) resources in our CI process.
For some few exceptions we allow accessing external servers by a proxy. The proxy must be declared for each use case separately, so we are aware of the risc and know which component is using the proxy for what kind of resource.
Current Solution for the dependency-check-maven plugin
The plugin uses one of the from the Maven settings.xml.
The targeted proxy must be set as you correctly described in https://groups.google.com/g/dependency-check/c/8p_0j4oMcAA/m/otagX2LRAwAJ.
The Problem
There are some other Maven plugins that look in the Maven settings.xml for active proxies and use them automatically, e.g. the https://github.com/eirslett/frontend-maven-plugin/ (but there may be more).
If we configure active proxies, we loose control and may silently access untrusted sources.
Describe the solution you'd like
The proxy definition should be part of the dependency-check-maven configuration and not used for anything else.
Describe alternatives you've considered
The dependency-check-maven plugin might pick up a named inactive proxy definition from the Maven settings.xml, but other plugins could scan for those proxy definitions too (the frontend-maven-plugin doesn't).
Dear Jeremy,
warm thanks for your brilliant work in the last years, this plugin is a must-have.
Our Goal
We try to avoid any connection to untrusted (external) resources in our CI process.
For some few exceptions we allow accessing external servers by a proxy. The proxy must be declared for each use case separately, so we are aware of the risc and know which component is using the proxy for what kind of resource.
Current Solution for the dependency-check-maven plugin
The plugin uses one of the from the Maven settings.xml.
The targeted proxy must be set as you correctly described in https://groups.google.com/g/dependency-check/c/8p_0j4oMcAA/m/otagX2LRAwAJ.
The Problem
There are some other Maven plugins that look in the Maven settings.xml for active proxies and use them automatically, e.g. the https://github.com/eirslett/frontend-maven-plugin/ (but there may be more).
If we configure active proxies, we loose control and may silently access untrusted sources.
Describe the solution you'd like
The proxy definition should be part of the dependency-check-maven configuration and not used for anything else.
Describe alternatives you've considered
The dependency-check-maven plugin might pick up a named inactive proxy definition from the Maven settings.xml, but other plugins could scan for those proxy definitions too (the frontend-maven-plugin doesn't).