Menu
Within my organisation, I'm heavily regulated by an IT security body. As such, all access to maven mirrors is prohibited. However, I can provide details of the dependencies I require so that the IT security bods can perform their checks / scans, and hopefully download the binaries for me.
I then install these in my local maven repo, which means that they're freely available to my team inside the firewall.
The beauty of maven is that it can identify and download transitive dependencies. However, without being able to access external POM files, I cannot perform these checks via maven dependency:tree.
As a result, I have to provide the dependencies one-at-a-time to the IT department. Given the depth of some of the dependency chains, this can take quite some time to go back/forward with IT. Alternatively, I do the dependency:tree at home, and mail myself the results.
I was wondering if anyone had any suggestions of websites where I can query for this information? So if I want (say) log4j:1.2.17, it will tell me that I also need to ask for javax.mail:mail:1.4.3 too.
713
Unfortunately I'm not aware of any sites that give you the full transitive dependency information, but there is a good solution to the underlying problem.
Namely, you can try to convince management to use a repository manager with an artifact auditing feature.
Sonatype Nexus certainly has this (see "Artifact Procurement"), JFrog Artifactory seems to enable this as well (through License Control"), both as extras in paid editions.
Such an approach will save time and money in the long run. Repository managers are much less fragile than a shared local repo:
Another relevant reason that may sway over your security body is that you're be able to use the same auditing procedure both for external and internal artifacts.
51
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
