I came across this note for --disableCentral in the CLI documentation.
Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly). If this analyzer is being disabled there is a good chance you also want to disable the Artifactory or Nexus Analyzer.
Isn't disabling Central but enabling Artifactory a valid approach?
If you rely on a "local" Artifactory instance, you most likely run it as a proxy for Central (and others). That means that all dependencies are likely already available in Artifactory by the time you run ODC. They were pulled down from Central when you built the project. In this scenario I see no added value in enabling the Central analyzer.
Did I miss something?
I came across this note for
--disableCentralin the CLI documentation.Isn't disabling Central but enabling Artifactory a valid approach?
If you rely on a "local" Artifactory instance, you most likely run it as a proxy for Central (and others). That means that all dependencies are likely already available in Artifactory by the time you run ODC. They were pulled down from Central when you built the project. In this scenario I see no added value in enabling the Central analyzer.
Did I miss something?