There seems to be some issue with dependency-check-maven where, when using the aggregate type output, the plugin is downloading all dependencies from the repositories instead of using the local build versions via Reactor. This started happening somewhere between version 1.4.0 and 1.4.5, since we did not experience this problem in 1.4.0. And this forum post suggests a large part of this was rewritten within that range.
Full build log available here. Relevant snippets pasted below. Notice the Downloading part near the end. This should not be happening, since this is a local module, so it should be built first, and its local artifacts used in the analysis.
Apache Maven 3.3.9 (bb52d8502b132ec0a5a3f4c09453c07478323dc5; 2015-11-10T10:41:47-06:00)
Maven home: /usr/local/Cellar/maven/3.3.9/libexec
Java version: 1.8.0_111, vendor: Oracle Corporation
Java home: /Library/Java/JavaVirtualMachines/jdk1.8.0_111.jdk/Contents/Home/jre
Default locale: en_US, platform encoding: UTF-8
OS name: "mac os x", version: "10.12.4", arch: "x86_64", family: "mac"
...<snip>...
[INFO] Reactor Build Order:
[INFO]
[INFO] StreamSets Data Collector RB Gen Maven Plugin
[INFO] StreamSets Data Collector
[INFO] StreamSets Data Collector Root Prototype POM
[INFO] StreamSets Data Collector Root POM
[INFO] StreamSets Testing Library
[INFO] StreamSets Data Collector Bootstrap
[INFO] StreamSets Utils
[INFO] StreamSets SSO
[INFO] StreamSets Data Collector Common
...<snip>...
...NOTE: this is where the undesired download happens. It should be using the local Maven module...
[DEBUG] Using connector BasicRepositoryConnector with priority 0.0 for https://repo.streamsets.net/artifactory/libs-snapshot
Downloading: https://repo.streamsets.net/artifactory/libs-snapshot/com/streamsets/streamsets-datacollector-common/2.6.0.0-SNAPSHOT/streamsets-datacollector-common-2.6.0.0-20170501.145725-107.jar
To reproduce, check out streamsets/datacollector and reverse this commit (in other words, turning the report back to aggregate instead of check). Observe that the download above does not happen. Alternately, change the plugin version from 1.4.5 back to 1.4.0 in root-proto/pom.xml, leaving aggregate output, and observe the downloads do not happen in that circumstance either.
Any further info is available as needed. Thank you!
There seems to be some issue with dependency-check-maven where, when using the
aggregatetype output, the plugin is downloading all dependencies from the repositories instead of using the local build versions via Reactor. This started happening somewhere between version 1.4.0 and 1.4.5, since we did not experience this problem in 1.4.0. And this forum post suggests a large part of this was rewritten within that range.Full build log available here. Relevant snippets pasted below. Notice the
Downloadingpart near the end. This should not be happening, since this is a local module, so it should be built first, and its local artifacts used in the analysis.To reproduce, check out
streamsets/datacollectorand reverse this commit (in other words, turning the report back toaggregateinstead ofcheck). Observe that the download above does not happen. Alternately, change the plugin version from1.4.5back to1.4.0inroot-proto/pom.xml, leavingaggregateoutput, and observe the downloads do not happen in that circumstance either.Any further info is available as needed. Thank you!