Skip to content

feat: enable local proxy configuration in maven plugin configuration#5696

Merged
jeremylong merged 5 commits intodependency-check:mainfrom
mischa-n:provide_full_proxy_configuration_in_plugin_configuration
May 16, 2023
Merged

feat: enable local proxy configuration in maven plugin configuration#5696
jeremylong merged 5 commits intodependency-check:mainfrom
mischa-n:provide_full_proxy_configuration_in_plugin_configuration

Conversation

@mischa-n
Copy link
Copy Markdown
Contributor

@mischa-n mischa-n commented May 4, 2023

Relates to Issue #5040

Description of Change

CICD-SEC-03 recommends:

  1. ... packages are pulled through an internal proxy rather than directly from the internet ...
  2. ... pull packages from internal repositories ...

We have solved (2), trust our developers, they trust the developers of the third party libraries in use, and those trust the developers of dependent fourth party libraries ...
Nevertheless, we would like to go one step further and completely disable access to the Internet in our CI/CD pipeline.
Therefore, we need to configure a proxy for the dependency-check-maven plugin.

Currently, you can define a proxy to use in the dependency-check-maven plugin via the Maven settings or the system property http.proxyHost.
However, in both cases, the configured proxy is used not only for loading data for analysis, but potentially for dependency resolution as well:

With the proposed change, a local proxy can be configured for the dependency-check-maven plugin, which is then used exclusively for loading the analysis data:

<configuration>
	...
	<proxy>
		<host>myproxy</host>
		<port>1234</port>
	</proxy>
	...
</configuration>

Have test cases been added to cover the new functionality?

no

@boring-cyborg boring-cyborg Bot added the maven changes to the maven plugin label May 4, 2023
jeremylong
jeremylong requested changes May 7, 2023
View reviewed changes
Copy link
Copy Markdown
Collaborator

@jeremylong jeremylong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any place we are accepting credentials we should allow this to be retrieved from the settings.xml.

Comment thread maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@mischa-n
Copy link
Copy Markdown
Contributor Author

mischa-n commented May 15, 2023

@jeremylong : is there anything else I can do here to get the PR accepted?

@jeremylong jeremylong added this to the 8.3.0 milestone May 16, 2023
@jeremylong jeremylong merged commit dfdb405 into dependency-check:main May 16, 2023
@jeremylong
Copy link
Copy Markdown
Collaborator

jeremylong commented May 16, 2023

Sorry about the delay - thanks for the PR!

@github-actions github-actions Bot locked as resolved and limited conversation to collaborators Dec 14, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jeremylong jeremylong jeremylong approved these changes

Assignees

No one assigned

Labels

maven changes to the maven plugin

Projects

None yet

Milestone

8.3.0

Development

Successfully merging this pull request may close these issues.

2 participants

@mischa-n @jeremylong